Managing Console User Accounts and Roles

The ProfileUnity Management Console provides one central utility administrators can use to configure and manage how users interact with the different types of desktops in their environment. Upon installation, ProfileUnity creates a default admin user account. The username is “admin”, and you are asked to supply a password. Make note of this information to refer to it later as needed.

You can edit these settings and create additional console user accounts if you want to do so. Creating, modifying, and deleting user accounts is done through the Access and Authentication tab of the Administration screen within the ProfileUnity Management Console. To navigate to this section, complete the following steps:

  1. Hover over your username in the top right corner of the Management Console screen.
  2. In the drop-down menu that appears, click the Administration option.
  3. The Administration screen opens with the Settings tab displayed.
  4. Click the Access and Authentication tab in the top right corner of the screen.

Configuring Authentication Settings

Authentication Mode

ProfileUnity offers four ways to authenticate users: Basic, Domain, SAML, and Common Access Card (CAC) Secure Mode.

  • Basic authentication uses ProfileUnity’s local authentication process.
  • Domain authentication allows users to authenticate using Active Directory during a ProfileUnity Management Console logon. This feature allows existing directory credentials to be used with ProfileUnity and prevents users from having to maintain an additional password. If the Secure domain communications using StartTLS checkbox is selected, all Active Directory communications will use TLS encryption via TCP port 389.
  • SAML authentication involves Single Sign On authentication. This can be useful for environments that already have a centralized identity provider handling authentication and authorization to applications or servers and want to extend this to include the administrator logins to the ProfileUnity Console. For an in-depth discussion of SAML authentication, refer to "Configuring SAML Authentication for the ProfileUnity Console."
  • CAC Secure Mode authentication automatically disables all other authentication modes, making CAC/PIV client certificates the only possible authentication method. This mode requires that you have a client-side certificate, most commonly a CAC enabled browser. With this authentication mode, you select Certificate Authorities from the local machine root and Client certificates are then checked against these authorities. If you select the Enable CAC Certificate Revocation List Cache checkbox during setup, CRL checks are cached offline.

Note: Any change to the Authentication Mode requires a service restart.

Configuring Microsoft Entra ID

Configuring Microsoft Entra ID is required to enable the ability to use Microsoft Entra ID-based security groups as filter conditions for rules defined in your ProfileUnity Configurations. It’s also required for AVD App attach integration. The Microsoft Entra ID user group membership filter condition can be useful for environments with the need to filter based on group memberships utilizing Entra ID joined-only (non-hybrid-joined) desktops and users authenticating against Microsoft Entra ID, rather than against an on-prem Active Directory domain. Refer to Configuring Microsoft Entra ID for use with Security Group-based Filters for detailed instructions.

Creating a New User Account

To add a new console user or login group, complete the following steps:

  1. In the Access Management section, click the Add Access button.
  2. Select the Link to Active Directory checkbox to authenticate users with LDAP.
  3. Select User or Group from the drop-down menu if using Link to Active Directory.
  4. Select the domain to search from the second drop-down menu if using Link to Active Directory.
  5. In the Name field, enter the username the user will use to log in to ProfileUnity, or if using Link to Active Directory, enter the username or group to which the user belongs in the Search field.

Note: If Link to Active Directory is selected, this username or group must map to an entry in the LDAP directory server for authentication to succeed.

  1. Enter the New Password the user will use to log in to ProfileUnity. This field is not used if Link to Active Directory is selected. A valid password must be at least 8 characters long and include at least one character from three of the following categories:
    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Non-alphanumeric characters
  2. Re-enter your password in the Confirm Password field.
  3. Select an Account Type:
    • Administrators
    • Users
  4. Click the Save button.

Editing User Account Settings

To edit a console user’s settings, click the (Edit) icon next to the user’s account name in the Access Management list.



To edit user account settings, complete the following steps:

  1. Click the (Edit) icon in the user's row
  2. (Optional) Select a different Account Type:
    • Administrators
    • Users
  3. (Optional) Select the Disable User checkbox if you want to prevent the user from logging in to the ProfileUnity Management Console.
  4. Click Save.

Resetting User Account Passwords

To reset an existing console user’s password at any time, click the Change Password icon next to the user’s account name.

You will be asked to enter a new password and to confirm the password by re-entering it. A valid password must be at least 8 characters long and include at least one character from three of the following categories:

  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Non-alphanumeric characters

Deleting User Accounts

To remove an old or unused user account from the Access Management screen, click the Delete icon next to the name of the user, then confirm that you want to proceed with the deletion. Note that after the user account is deleted, it cannot be recovered.

Disabling or Enabling User Accounts

Disabling active user accounts can be done in two ways. You can either click the (Edit) icon for a user and then select the Disable User checkbox on the Edit screen, or you can click the (Enable/Disable) icon in the Access Management list next to the name of the user whose account you want to disable. A user account appears grayed out when it is disabled.

To reactivate inactive user accounts, click the Enable or Disable button in the Access Management list next to the name of the user whose account you want to enable again.

  • Disable Toggle — Account is Enabled. Click the dark gray icon to disable the user account.
  • Enable Toggle — Account is Disabled. Click the grayed-out icon to enable the user account.

Role Management

The Role Management section of the Access And Authentication tab allows users to assign specific Management Console editing permissions for each Active Directory user account. This feature makes it possible to have leveled roles within a help desk team which allows certain changes to be made by some users while reserving other edits for higher level admins. For example, a level-one role might include the ability to change drive mappings, printer settings, and shortcut settings but not allow users assigned to that role to change filters, portability, or FlexDisk settings. By default, only local admin users can make edits in the ProfileUnity Management Console. All other Active Directory users can view the current settings but are unable to make edits until roles are assigned. Roles open up access to grant granular editing permissions within the ProfileUnity Management Console. However, ProfileUnity cannot grant or override server user account permissions. Users do not have to be Active Directory Administrators in order to be assigned roles.

Designating a Service Account

(Optional but required to enable Roles) An Active Directory service account must be designated as the account that will deploy the configuration file and make queries to outside resources like Active Directory, file shares, and print shares. This account will need full control of the deployment path. Users do not need any access to the deployment path when a service account is set up. Under Service Account for Deployment, enter the username and password for this account. Then click the Add/Update button.

Creating a New Role

To create a new role, complete the following steps:

  1. Click the Add Role button.
  2. On the General tab that opens by default, type the Name of the role.
  3. Assign a Sequence to the new role. If conflicting roles are created, the lower sequence number takes precedence.
  4. (Optional) Add a Description in the related field.
  5. Click the Permissions tab.
  6. Select all permissions that you want to grant to the new role.



  7. Click the User and Group Access tab.
  8. Under Locate User Or Group, select your domain and then start typing the name of the user or group to be assigned to this role in the Search field below the domain name. After you type the first three letters, ProfileUnity displays users and groups whose names contain those letters. Click on an entry to add the user or group to this list.



  9. Click the Configurations tab.
  10. In the Locate Configuration field, enter the name of the ProfileUnity Configuration where this role will apply.
  11. (Optional) Add more configurations, if you want.
  12. Click Save.

Editing a Role

To edit a role, click the (Edit) icon to the right of the role name in the Role Management list. Make the necessary changes to each section, as you did when creating a new role.

Deleting a Role

To delete a role, click the (Delete) icon to the right of the role name in the Role Management list.