How to Delegate Control your Citrix Virtual Apps and Desktops to your Administrators and Helpdesk users in the Citrix Cloud


Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Share on RedditEmail this to someone
Share Button

One of the two huge limitations of the Citrix Cloud were (yes, in the past) the possibility to provide an advanced method to provide delegated access to your Administrators and Helpdesk users. Smaller SMBs customers mostly having one or two admins and can leverage this setting easily, although larger enterprise customers are facing a massive problem as they have more roles to delegated within their IT department. This was a huge limitation…

“Control the Things You Can Control” – Samantha Stosur

The second limitation was (yes, again in the past) logging. It could be that you never missed the feature in the Citrix Cloud. But from what I’ve heard – most companies don’t leverage Citrix Cloud Workspaces – because of this simple limitation. We all know that Citrix Cloud is built up from the On-Premises FMA architecture, which was initially not designed for multi-tenant access – and for this specific reason – logging wasn’t there from the beginning. Citrix rebuilt the way how logging gathers it’s information and made it available for current release customers and later on the rest through the Canary enrollment process (read more about this later on).

Big thumbs up for the Citrix Engineering and Dev team that were involved in this. I had the privilege to test this new enhancement as being a Citrix CTP – and must say that it’s already working great.

See below the different Delegated Roles that are available in a diagram.

In this article, I’ll describe how you can use the new Delegation and Control capabilities in the Citrix Cloud as well as the (new) logging functionality.

Enjoy reading!

Table of Contents

Click on the title to forward in the article:

What’s the Citrix Cloud Canary enrollment process?

Citrix releases new feature and enhancements in Citrix Cloud through an update management process, so this Delegated Control and Logging feature might not be available for every customer right now. Citrix said that all the Citrix Cloud customers will have these 2 new enhancements in the next 2 weeks available in their Virtual Apps and Desktop environment.

Interested how update management works within the Citrix Cloud? Citrix works with a so-called Canary Process, and it works like this.

  • 4-5 Day process to migrate customers to new code
  • If issues observed, hard stop until the issue is resolved
  • Test State: Internal customers to verify deployment 
  • Opt-In: Customers who have explicitly notified Citrix that they want latest stable code as quickly as possible within Citrix Cloud
  • Opt-Out: Customers who want to wait until 100% state is achieved

How to provide Citrix Cloud Delegated Access to the Citrix Cloud

With this new Citrix Cloud platform feature enhancement, you can begin leveraging this feature to control access to select areas within the Virtual Apps and Desktops Service.

Go to citrix.cloud.com

Open the hamburger menu – click on Identity and Access Management

Click on Administrators

Choose for Citrix Identity / or Azure AD if you want to delegate rights to a user within your Azure Active Directory environment.

Enter the users email address which you want to provide the right to and click on invite

Note: This can be every valid email address that you like to use. It, for instance, doesn’t require an existing link to Citrix.

Click on Send Invite

Confirm that the account is listed and the status – Invite sent

Let the user opens their welcome email to Citrix Cloud.

Click on Sign In

 Note: If those specific users don’t have a Citrix Cloud account, he’ll be asked to create one.

If you already have a Citrix Cloud account, this will be the message:

The account is now ready to use.

If not, you’ll be asked to create one. Just go through the onboarding process of a new Citrix Cloud account. Similar to picture below…

Assign Delegated rights to Administrators

Delegated Administration uses three concepts: administrators, roles, and scopes. Permissions are based on an administrator’s role and the scope of this role. For example, an administrator might be assigned a Help Desk administrator role where the scope involves responsibility for end-users at one site only.

Don’t know what Delegated rights are? Please continue reading through this official Citrix Docs article, which explains most of the basics.

Return to Identity and Access Management

Go to Administrators

Click on the 3 dots – followed by Edit Access

Click on Custom Access

Select the rights that you want to assign to your administrators

The rights are successfully applied

Change the Scope for the administrators

Changing the scope makes it possible to hide a certain amount of configuration items in Citrix Studio within Citrix Cloud. You can include Machine Catalogs and Exclude Delivery Groups, so the users only can manage that specific item.

Switch back to the Citrix Cloud– Dashboard

Click on Manage below Virtual Apps and Desktops (previously XenApp and XenDesktop) Service

Click on Administrators

And you’ll see the new add administrator listed in the Administrators menu of the Citrix Cloud studio

 

 Click on Scopes

 Create an additional Scope to limit the access for the different users

 

 Select the Delivery Groups, Hosting and Machine Catalogs items

Please make sure that the Role is listed in the list of Scopes…

 So, What about Roles – custom definitions?

Unfortunately – changing role definitions are not supported yet. Citrix is working on this and will add this very soon as follow up to this add-on to the Citrix Cloud!

Now return back to the Identity and Access menu and apply the just created Role to your Administrators.

 (You’ll see my just created Helpdesk Users added to the list!)

 After you set the custom access roles – They will only see the resources you specified in the Studio!

The rights are successfully applied

 

Citrix Cloud logging

Next to this Delegated Control – awesome add-on to the Citrix Cloud, Citrix also made logging available together with the delegation option. Based on the email address of the administrator, you’ll now see which actions have been performed on the site within the Studio.

See below how the Logging Console within Citrix Cloud

That’s it again – hope this helps, and thanks for stopping by.

Cheers,

Christiaan Brinkhoff

Share Button
Christiaan Brinkhoff

Christiaan Brinkhoff

Christiaan Brinkhoff works as a Cloud Architect and Evangelist, and own his own consulting firm. Where he focuses mainly on Public Cloud infrastructures and End-User Computing environments for the larger multinational enterprise customers. He designs and provide complex migrations, helps customers with the Digital Transformation, advises on Cloud strategies, writes business continuity plans, strategies, and realizes on-premises and cloud-based environments. When he wants to get something done, he keeps going until he reaches his goal. He is very resourceful in finding solutions for challenges that seem impossible at first.

In addition to his work, he also shares his knowledge by speaking at large international conferences, such as Citrix Synergy, E2E - PubForum, local user groups (Dutch, Irish, Swedish and Denmark User Group), and provides webinars and writes articles for IT vendors, as well as his website, christiaanbrinkhoff.com - to share his passion for Cloud innovation. This community-related work got him the privilege to achieve the following three vendor awards, such as Microsoft Valuable Professional (MVP) for Microsoft Azure, Citrix Technology Professional (CTP), and VMware vExpert.
Christiaan Brinkhoff