ShareFile one-click User Provisioning


There are various ways to create your users in ShareFile (Control Plane). One of them is creating users via the Citrix ShareFile User Management Tool (UMT). In case of a XenMobile Enterprise environment Citrix AppController is also able to create ShareFile users automatically. However, AppController bring some limitations because f.i. Active Directory groups can’t be synchronized with AppController. So this is why I prefer using the ShareFile UMT to create ShareFile users.

Groups Rule

First we need to specify which Active Directory group needs to be synchronized to the ShareFile control plane.
When we click the “add rule” button the ShareFile UMT will suggest create the same group as a ShareFile distribution group and add the ShareFile users to the ShareFile distribution group as in the Active Directory group. ShareFile UMT will also suggest to create a users-generating rule.

Users Rule
A Users Rule is needed to create the Active Directory group members in the ShareFile control plane. Keep in mind user passwords won’t get synchronised to the ShareFile control plane, never!
Make sure to select the “Update ShareFile employee information based on the selected AD object” option to let ShareFile UMT disable a ShareFile user as soon as this user is disabled in Active Directory.

After the Users Rule creation we do have 2 rules available. One rule for creating the Active Directory distribution group members into ShareFile. And a rule for managing the ShareFile distribution group.

Now we can manually create Active Directory group members into ShareFile via the “Refresh” and “Commit” now buttons.

Automatic Provisioning
ShareFile UMT is also able to run automatically. Therefore we need to schedule the UMT rules. Within the UMT rules tab click “Schedule”:

With the Continuous option ShareFile UMT will commit changes every hour via the Microsoft Task Scheduler. However, this Job will only run when the user is logged on.


To run ShareFile UMT automatically  without the need to logon we need to select the option”Run whether the user is logged on or not” and specify a user.
If this user is a regular domain user without admin privilleges we need to assign this user the “Log on as a batch job” right via the local security policy or via a Active Directory group policy:
scheduled_task_3From now on, a user who is member of the ShareFile Active Directory group will be created in the ShareFile Control plane automatically.

Automatic Deprovisionging

Since we now have a automated way to provision ShareFile users we also want to be able to disable ShareFile users automatically (removing ShareFile users via UMT isn’t possible). Because we selected the option “Update ShareFile employee information based on the selected AD object” ShareFile UMT will disabled the ShareFile user as soon as the account is disabled in Active Directory. At this moment a disabled ShareFile user keeps getting ShareFile notifications via email, ShareFile support is aware of this.

User object details

To create a ShareFile user the Active Directory user needs at least a: First name, Last name and E-mail address. If one of these objects is empty the ShareFile user can’t be synchronised between Active Directory and the ShareFile Control plane.

Leave a Reply




This site uses Akismet to reduce spam. Learn how your comment data is processed.

Visit Us On TwitterVisit Us On Linkedin