ShareFile one-click User Provisioning

umt_banner

There are various ways to create your users in ShareFile (Control Plane). One of them is creating users via the Citrix ShareFile User Management Tool (UMT). In case of a XenMobile Enterprise environment Citrix AppController is also able to create ShareFile users automatically. However, AppController bring some limitations because f.i. Active Directory groups can’t be synchronized with AppController. So this is why I prefer using the ShareFile UMT to create ShareFile users.

Groups Rule

First we need to specify which Active Directory group needs to be synchronized to the ShareFile control plane.
groups_rule_1_
When we click the “add rule” button the ShareFile UMT will suggest create the same group as a ShareFile distribution group and add the ShareFile users to the ShareFile distribution group as in the Active Directory group. ShareFile UMT will also suggest to create a users-generating rule.
groups_rule_3

Users Rule
A Users Rule is needed to create the Active Directory group members in the ShareFile control plane. Keep in mind user passwords won’t get synchronised to the ShareFile control plane, never!
users_rule_1
Make sure to select the “Update ShareFile employee information based on the selected AD object” option to let ShareFile UMT disable a ShareFile user as soon as this user is disabled in Active Directory.

After the Users Rule creation we do have 2 rules available. One rule for creating the Active Directory distribution group members into ShareFile. And a rule for managing the ShareFile distribution group.
users_rule_2

Now we can manually create Active Directory group members into ShareFile via the “Refresh” and “Commit” now buttons.

Automatic Provisioning
ShareFile UMT is also able to run automatically. Therefore we need to schedule the UMT rules. Within the UMT rules tab click “Schedule”:
schedule_1

With the Continuous option ShareFile UMT will commit changes every hour via the Microsoft Task Scheduler. However, this Job will only run when the user is logged on.

scheduled_task_1

To run ShareFile UMT automatically  without the need to logon we need to select the option”Run whether the user is logged on or not” and specify a user.
scheduled_task_4
If this user is a regular domain user without admin privilleges we need to assign this user the “Log on as a batch job” right via the local security policy or via a Active Directory group policy:
scheduled_task_3From now on, a user who is member of the ShareFile Active Directory group will be created in the ShareFile Control plane automatically.

Automatic Deprovisionging

Since we now have a automated way to provision ShareFile users we also want to be able to disable ShareFile users automatically (removing ShareFile users via UMT isn’t possible). Because we selected the option “Update ShareFile employee information based on the selected AD object” ShareFile UMT will disabled the ShareFile user as soon as the account is disabled in Active Directory. At this moment a disabled ShareFile user keeps getting ShareFile notifications via email, ShareFile support is aware of this.

User object details

To create a ShareFile user the Active Directory user needs at least a: First name, Last name and E-mail address. If one of these objects is empty the ShareFile user can’t be synchronised between Active Directory and the ShareFile Control plane.

Update February 2020

After writing this original blogpost back in 2014 Citrix renamed ShareFile to Content Collaboration. Since this was written in ShareFile style I’ll keep mentioning ShareFile 🙂

At the moment Citrix is rolling out two-step verification (two-factor authentication) for all users. More info on this here: https://support.citrix.com/article/CTX208336.

ShareFile two-factor enabled

If two-step verification is enabled you’ll notice that the ShareFile UMT will stop synchronizing. The article will suggest you to create App Passwords from within the ShareFile Control Plane. However the App Password will not work for scheduled synchonization tasks according to the article:
“User Management Tool – the app specific password is only supported when using the UMT UI and is not supported when using scheduled task”

I can confirm that the ShareFile App Password function will work when you re-create the scheduled tasks from within the ShareFile UMT. Basically the following steps are required:

  1. Create the App Password from within the ShareFile Control Plane for the user account that will synchronize the settings (Settings > Personal Settings > Personal Security > Two-Step Verification)
  2. Login to the ShareFile UMT with the new App Password (instead of the admin password that was normally used for this account)
  3. Remove the current synchronization rules from within the UMT, this will also remove the scheduled task.
  4. Create a new schedule from within the UMT as mentioned in this blogpost.
  5. Edit the scheduled task and enable the “run wether the user is logged on or not”.

After those changes the ShareFile UMT scheduled task should be working back again, with two-step verification enabled!

ShareFile UMT two-factor

Leave a Reply

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.