ShareFile and XenMobile are undoubtedly the industry leaders in the EMM and the EFSS space and together they enable any enterprise to truly mobilize their workforce. At Citrix, we are working hard not only to make these products great individually, but also to ensure integrations that make these products a natural fit for each other and seamlessly harness each other capabilities. Read the blog here to learn more about some of these consumer-facing integrations between ShareFile and XenMobile.
However integration efforts are not limited to the consumer facing features only. Currently, for customers using a standalone ShareFile deployment, user provisioning can be managed either manually or through the User Management Tool. However, when customers deploy ShareFile in conjunction with XenMobile, we have streamlined the user provisioning process by integrating ShareFile user provisioning through AppC. When the appropriate ShareFile super-user with administrator permissions is configured into the AppC Docs tab, users accounts are automatically created in the ShareFile control plane for roles that are assigned to ShareFile.
Provisioning with AppC
This post aims at demystifying the provisioning process when AppC is used as the provisioning method. It explains what goes on from the time the user is added to the Active Directory (AD), until the time the ShareFile Account is provisioned for that user. To learn about this, there 2 activities to be aware of which drive the provisioning sequence:
- The AppC-AD delta sync – The AppC performs a sync operation with AD every 5 minutes on the clock (12:00, 12:05, 12:10… etc.). At this point, the AppC checks for any users that were added/deleted to the AD or users whose membership may have changed and makes corresponding updates to its database.
- The provisioning task timer – This timer runs every 15 minutes on the clock (12:00, 12:15, 12:30… etc.) and looks for list of users in AppC that need to be provisioned into ShareFile. Once the AppC has a list of users that it needs to provision, it schedules a provisioning task with a 15-minute delay at which point, the user is provisioned into ShareFile.
The flow diagram below depicts the flow of the provisioning process
This process can best be understood with an example scenario.
- 3:32pm: Assume that a new user (u_demo1) is created in AD and added to an AD group that maps to a configured role in the “Docs” tab of the AppC.
- 3:35pm: At this 5-minute interval on the clock, AppC will run delta sync with AD and learn that u_demo1 is a newly created user. At this point, AppC will add the user to its own database.
- 3:36pm: Assume that a second user (u_demo2) is created in AD and added to an AD group that maps to a configured role in the Docs tab of the AppC.
- 3:39pm: Assume that a third user (u_demo3) is created in AD and added to an AD group that maps to a configured role in the Docs tab of the AppC.
- 3:40pm: At this 5-minute interval on the clock, AppC will run delta sync with AD again and learn that u_demo2 and u_demo3 are both newly created users. At this point, AppC will add both the users to its own database.
- 3:45pm: At this 15-minute interval on the clock, the provisioning task timer runs to check for changes in the AppC user database. AppC understands that u_demo1, u_demo2 and u_demo3 belong to a role which is configured in the ShareFile Docs tab and that all 3 users need to be provisioned in ShareFile. AppC will schedule a provisioning task with a 15 min delay to provision these users.
- 4:00pm: The 15 min delay timer expires and AppC provisions u_demo1, u_demo2 and u_demo3 into ShareFile.
Time from user creation to provisioning:
- u_demo1 – 28 min
- u_demo2 – 23 min
- u_demo3 – 21 min
Hopefully, this clarifies some questions around ShareFile user provisioning using AppC. Whether you choose to use AppC or UMT to provision users, the process involves communication between AD, AppC and ShareFile control plane. In cases when the process has not fully completed, users may see certain error messages when they try to login to their ShareFile accounts.
Common errors and how to resolve them
1. Subscription required
This error is seen when a user has been provisioned in the ShareFile either manually or through the UMT, but the AppC has not had a chance to reconcile the user. This error may also occur if the user has not yet been synced into the AppC database from AD. The snapshot below shows a view of the user in both Sharefile and AppC when the user is not reconciled.
Resolution: Reconcile the user with the appropriate domain account in AppC. After that either the admin can choose to run a manual sync on the Docs tab or wait for the auto reconciliation process to occur at 2:00 AM every night.
2. Your account is being setup
This scenario is more likely to occur when AppC is used for provisioning ShareFile users. This happens when the user from AD has been synced into the AppC database after the 5-min delta sync, but has not yet been provisioned into Sharefile.
Resolution: Wait for the provisioning task timer to provision the user in the ShareFile control plane and for the user to be reconciled in AppC
3. User account has been disabled
This error is seen when the user account has been provisioned in ShareFile and has also been reconciled in AppC, but the user state is set to “Disabled” in the ShareFile control plane.
Resolution: Re-enable the user in ShareFile