Citrix DaaS for Citrix Service Providers
This article describes how Citrix Service Providers (CSP) can set up Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) for tenant customers in Citrix Cloud. For an overview of the features available for Citrix Partners, see Citrix Cloud for Partners.
Requirements
- You are a Citrix Service Provider partner.
- You have a Citrix Cloud account.
- You have a subscription to Citrix DaaS.
Limitations and known issues
Limitations
- Tenant name changes take up to 24 hours to apply across all interfaces.
- When creating a tenant, the email address must be unique.
- Filtering in Studio by scope (similar to Monitor) is not available. To see the resources attached to a scope, select Administrators in the left pane. On the Scopes tab, select the scope and then select Edit Scope in the Action pane.
Known issues
- After scopes are assigned to a resource, you cannot use the management console to remove or unassign them. Those tasks are supported only through PowerShell.
- The Studio doesn’t enforce scopes. You are responsible for selecting the appropriate scope when creating machine catalogs, delivery groups, and application groups.
- When more than 15 scopes are created (auto-created and custom), the Citrix Cloud custom access information for an administrator (Identity and Access Management > Administrators) does not display correctly. Workaround: Limit scopes to 15 or fewer.
Invite or add a customer
- Sign in to Citrix Cloud with your CSP credentials. Select My Customers in the upper left menu.
-
From the Customer Dashboard, click Invite or Add. Select one of the following:
- Invite a Citrix Cloud Customer: applicable to onboard a single-tenant customer.
- Add a customer: applicable to onboard a multi-tenant customer.
-
To connect with an existing Citrix Cloud customer, copy and send the Citrix Cloud URL to the customer. For more information, see Create connections with customers. The customer must add you as a full access administrator to their account. See Add administrators to a Citrix Cloud account.
Note:
If the customer does not have a Citrix Cloud account, adding the customer creates a customer account. Adding the customer also automatically adds you as a full access administrator of that customer’s account.
You can add more administrators later and control which customers they can see on Studio.
Add Citrix DaaS to a customer
- Sign in to Citrix Cloud with your CSP credentials. Select My Customers in the upper left menu.
- From the Customer Dashboard, in the ellipsis menu for the customer, select Add Service.
- In Select a service to add, select Virtual Apps and Desktops.
- Select Continue.
After you complete this procedure, the customer is onboarded to your Citrix DaaS subscription.
When the onboarding completes, a new customer scope is created automatically in Citrix DaaS. The scope is visible in the Studio display. This scope is unique to that customer. You can rename the scope, but you cannot delete it.
Use this scope to tailor access for other administrators. For example, let’s say you have 10 customers and two administrators. Using the unique scope, you can restrict one administrator’s access to only three of the customers. The other administrator can access one of those three customers, plus two other customers. For details, see Control administrator access to customers.
Set up a resource location
A resource location holds the machines that deliver apps and desktops for your customers, and infrastructure components such as Citrix Cloud Connectors. For details, see Connect to Citrix Cloud.
Set up catalogs and groups to deliver apps and desktops
Note:
To manage DaaS for a tenant customer, you must switch to the CSP customer’s account. To do so, click the customer name in the upper-right menu and click Change customer.
A catalog is a group of identical virtual machines. When you create a catalog, an image is used (with other settings) as a template for creating the machines. For details, see Create machine catalogs.
A delivery group is a collection of machines selected from one or more machine catalogs. The delivery group specifies which users can use those machines, plus the applications or desktops available to those users. For details, see Create delivery groups.
Application groups let you manage collections of applications. You can create application groups for applications shared across different delivery groups or used by a subset of users within delivery groups. For details, see Create application groups.
When configuring groups, be sure that:
- The delivery group’s scope is a subset of the machine catalog’s scope. For example, assume the catalog’s scope is A and B. The delivery group’s scope can be either A or B, or A and B.
- The application group’s scope is a subset of the delivery group’s scope. For example, assume the delivery groups associated with an application group have scope A and B. The application group’s scope can be either A or B, or A and B.
Federated domains
Federated domains enable customer users to use credentials from a domain attached to your resource location to sign in to their workspace. This allows you to provide dedicated workspaces to your customers that customer users can access using a custom workspace URL (for example, customer.cloud.com), while the resource location is still on your Citrix Cloud account. You can provide dedicated workspaces alongside the shared workspace that customers can access using your CSP workspace URL (for example, csppartner.cloud.com).
To enable customers to access their dedicated workspace, you add them to the appropriate domains that you manage. After configuring the workspace through Workspace Configuration, customers’ users can sign in to their workspace and access the apps and desktops that you’ve made available.
Add a customer to a domain
- Sign in to Citrix Cloud with your CSP credentials. Select My Customers in the upper left menu.
- From the Customer Dashboard, select Identity and Access Management in the upper left menu.
- On the Domains tab, select Manage Federated Domain in the domain’s ellipsis menu.
- On the Manage Federated Domain card, in the Available customers column, select a customer you want to add to the domain. Select the plus sign next to the customer name. The selected customer now appears in the Federated customers column. Repeat to add other customers. When you’re done, select Apply.
Remove a customer from a domain
When you remove a customer from a domain that you manage, the customer’s users can no longer access their workspaces using credentials from your domain.
- From the Citrix Cloud menu, select Identity and Access Management, then select Domains.
- Locate the domain that you want to manage and select the ellipsis button. Select Manage Federated Domain.
- From the list of federated customers, locate or search for the customers you want to remove and select the X button. Select Remove all to remove all the customers in the list from the domain. The selected customers move to the list of available customers.
- Select Apply.
- Review the customers that you selected and select Remove Customers.
Control administrator access to customers
You can control administrator access to customers by using the unique scope that was created when you added Citrix DaaS to the customer. You can configure access when you add an administrator or later.
To learn about restricting access using roles and scopes in Citrix DaaS, see Delegated administration.
Add an administrator with restricted access
- Sign in to Citrix Cloud with your CSP credentials. Select My Customers in the upper left menu.
- From the Customer Dashboard, select Identity and Access Management in the upper left menu.
- On the Administrators tab, select Add Administrators From, and then select Citrix Identity.
- Type the email address of the person that you’re adding as an administrator, and then select Invite.
- Configure the appropriate access permissions for the administrator. Citrix recommends selecting Custom access, unless you want the administrator to have management control of Citrix Cloud and all subscribed services.
- After selecting Custom access, select one or more role and scope pairs for Citrix DaaS, as needed. Be sure to enable only entries that contain the unique scope that was created for the customer.
- When you’re done selecting role and scope pairs, select Send Invite.
When the administrator accepts the invitation, they have the access that you assigned.
Edit delegated administration permissions for administrators
- Sign in to Citrix Cloud with your CSP credentials. Select My Customers in the upper left menu.
- From the Customer dashboard, select Identity and Access Management in the upper left menu.
- On the Administrators tab, select Edit Access from the ellipsis menu for the administrator.
- Select and clear role and scope pairs for Citrix DaaS, as needed. Be sure to enable only entries that contain the unique scope that was created for the customer.
- Select Save.
View customer administrators and their assigned roles and scopes
- Sign in to Citrix Cloud with your CSP credentials. Select My Customers in the upper left menu.
- From the Customer Dashboard, select My Services > DaaS in the upper left menu.
- Select Administrators in the left pane.
Information is available on three tabs:
- The Administrators tab lists the administrators that have been created, plus their roles and scopes.
- The Roles tab lists all roles. To view role details, select the role in the middle pane. The lower portion of that pane lists the object types and associated permissions for the role. Select the Administrators tab in the lower pane to display a list of administrators who currently have this role.
- The Scopes tab lists all the scopes, including the scopes generated for customers of Citrix partners.
Configure workspaces
The customer has their own workspace with a unique customer.cloud.com
URL. This workspace is where the customer’s users access their published apps and desktops.
The workspace URL is displayed in two places:
- From the Customer dashboard, select Workspace Configuration from the menu in the upper left menu.
- From the Citrix DaaS Welcome page (the Overview tab), the workspace URL appears at the bottom of the page.
You can change access and authentication to a workspace. You can also customize the workspace appearance and preferences. For details, see the following articles:
Monitor a customer’s service
The Monitor dashboard in a CSP environment is essentially the same as a non-CSP environment. See Monitor for details.
By default, the Monitor dashboard displays information about all customers. To display information about one customer, use Select Customer.
Keep in mind that the ability to see Monitor displays for a customer is controlled by the administrator’s configured access. The access must include a role and scope pair that includes the customer’s unique scope.
If you used built-in roles to configure access: The built-in roles control whether the administrator can see the Studio displays. If you select only role and customer-scope pairs that don’t include Monitor node visibility, that administrator cannot see the Monitor node for any selected customers. For example, if you give an administrator only Read Only Administrator,customerABC access, that administrator cannot see the Monitor node for customer ABC, because read only administrators cannot access Monitor displays.
Remove a Service
Prerequisites
- Ensure that your customer scope is not linked to any Citrix DaaS objects. If they are linked, you cannot remove the service. To unlink scopes, go to Citrix Studio > Administrators > Scopes and edit the scope.
- To know your customer scope and manage it, see Create and manage scope.
-
Sign in to Citrix Cloud with your Citrix Service Providers credentials.
-
On the Customer dashboard, click the Ellipsis menu (…) of the customer from where you want to remove a service and select Remove Service.
The Service to Remove page appears.
-
Click Remove to remove the service.
In this article
- Requirements
- Limitations and known issues
- Invite or add a customer
- Add Citrix DaaS to a customer
- Set up a resource location
- Set up catalogs and groups to deliver apps and desktops
- Federated domains
- Control administrator access to customers
- Configure workspaces
- Monitor a customer’s service
- Remove a Service