How to Manage Employee Permissions in ShareFile

How to Manage Permissions

  1. Go to People > Manage Users (or Browse Employees or Browse Clients)
  2. Browse or search for your user. Click the user or the Manage icon on the right, to open the user profile.
  3. Modify permissions as needed, then Save.

Default Employee Permissions

When creating a new employee, the following permissions are granted by default. You can modify these settings during the user creation process.

Note: A grayed setting indicates a permission that the creating user does not have access to or is not permitted to give to others – therefore, they cannot grant that permission to another user.

User Access

Basic Information:

  • Date Created
  • Email Address
  • First Name & Last Name
  • Company name.


Modify the user’s default Notification Frequency settings.

Default Email Language

Modify the user’s default Email Notification Language.

Bandwidth Limit

You may select a maximum monthly bandwidth allowance for the employee. This limit will prevent the employee from personally uploading and downloading more data than you allow them. It will also apply to all of their folders, so that they may not share files with others more than you would like for them to.

Note: Employee bandwidth limits can also affect clients that the employee works with by limiting how much they may download from the employee’s folders. This is used by some accounts where employee use may need to be limited to prevent bandwidth overages.


Whether the customer is utilizing ShareFile Credentials or Two-Step Verification.

User Access:


Change their password

If a user may change their password, they can use the ‘Forgot Password’ link on the login screen if they ever forget the password. If this is not marked, they will need to contact an employee who can manage employee permissions for help logging in.

Access Personal Settings

In personal settings, a user can manage their name, company name, and avatar. They will be able to update or change their password on this page if they have the permission to change their password.

Files and Folders

Use personal File Box

The File Box is a personal storage space where employees may store files for a limited period of time. This space is not generally a collaborative or shared space, although some users may be given access to see other employee’s File Boxes. If you do choose to take away a user’s access to the File Box, they will not be able to use any email plugin tool or add files from their computer when creating a Share message or Link.

Be added to file drops

This will only be available if File Drop is enabled on your account. This will allow users who create new file drops to list this employee as a contact that clients may select to send files to through a form.


Manage Clients

This will allow the employee to see the People tab in the navigation bar and to add new users to the account. They will also be able to edit settings for any clients that they create.

Note: Editing a client user’s email address requires the Manage Employees permission.

Edit the shared address book

The Shared Address Book is available to employee users on the account so that they may quickly and easily pull up contact information for users on the account. If this is checked, the employee will be able to add users to the Shared Address Book to allow others to see their contacts on the system.

Share distribution groups

If this permission is enabled, the employee user will be able to create a Shared Distribution group.

Edit other users’ shared distribution groups

When setting up a new Distribution Group, users will have the option to share the group with all employees. If this permission is enabled, the employee user will be able to add more users to a group that has been created on the system and shared with others.

Company Account Info

Edit account appearance

Allow the user to configure account branding and appearance settings.


View receipts and billing notifications

The Receipts & Billing Notifications link in the Admin Settings > Billing section will allow any user with this permission enabled to download copies of any receipt or invoice for the account.

*You may or may not see the below settings on your user page. These settings will display only if you have the feature enabled on your plan type.

Advanced Preferences


Create Network Share Connectors

This permission grants the user the ability to create and manage new Network Share-type Connectors. This permission is only available to ShareFile users on select plans.

Create SharePoint Connectors

This permission grants the user the ability to create and manage new Sharepoint-type Connectors. This permission is only available to ShareFile users on select plans.


Select StorageZone for root-level folders

In order to change another user’s default storage location, membership to the Super User Group is required. This permission is only available to ShareFile users on select plans.


  • No Related Posts

ShareFile Outlook Plugin – Basic Installation


To download the plugin, log in to your ShareFile account and click the Apps link in the top navigation bar. Locate Outlook Plugin in the list of apps and click the Download button. Once the installation file has been downloaded, close Microsoft Outlook and run the installation file. This will install the ShareFile Plugin for the currently logged-in user. You must accept the License Agreement to continue installation.

(Please note that the ShareFile Plugin for Microsoft Outlook Versions 3.0 and later installs only for the current logged-in user. If you wish to install the plugin for all users on the PC, please refer to the Administrative Installation section below.)

Once installation is complete, open Microsoft Outlook.

Installation Location

When installing a per-user version of the OLP, the app will be installed in C:UsersUSERNAMEAppDataLocalShareFile

When installing a per-machine version of the OLP, the app will be installed in C:Program Files (or x86)ShareFile


  • No Related Posts

How to Configure Full VPN Setup on a NetScaler Gateway Appliance

Configure a full VPN Setup on a NetScaler Gateway Appliance

To configure a VPN setup on NetScaler Gateway appliance, complete the following procedure:

  1. From NetScaler configuration utility, navigate to Traffic Management > DNS.

  2. Select the Name Servers node, as shown in the following screen shot.

    Ensure that the DNS Name Server is listed. If it is not available, add a DNS Name Server.

    User-added image

  3. Expand NetScaler Gateway > Policies.

  4. Select the Session node.

  5. Activate the Profiles tab of NetScaler Gateway Session Policies and Profiles page and click Add.

    Note: For each component you configure in the Configure NetScaler Gateway Session Profile dialog box, ensure that you select the Override Global option for the respective component.

  6. Activate the Client Experience tab.

  7. Type the intranet portal URL in the Home Page field if you would like to present any URL when the user login into the VPN.

    If homepage parameter is set to “nohomepage.html”, homepage will not be displayed. When the plug-in starts, a browser instance starts and gets killed automatically.

    User-added image

  8. Ensure to select the desired setting from the Split Tunnel list (for more information about this setting, check above).

  9. Select OFF from the Clientless Access list if you want FullVPN.

    User-added image

  10. Ensure that Windows/Mac OS X is selected from the Plug-in Type list.

  11. Select the Single Signon to Web Applications option if desired.

  12. Ensure that the Client Cleanup Prompt option is selected if required, as shown in the following screen shot:

    User-added image

  13. Activate the Security tab.

  14. Ensure that ALLOW is selected from the Default Authorization Action list, as shown in the following screen shot:

    User-added image

  15. Activate the Published Applications tab.

  16. Ensure that OFF is selected from the ICA Proxy list under Published Applications option.

    User-added image

  17. Click Create.

  18. Click Close.

  19. Activate the Policies tab of the NetScaler Gateway Session Policies and Profiles page in the Vserver or activate the Session Policies at the GROUP/USER Level as required.

  20. Create a Session policy with a required expression or ns_true, as shown in the following screenshot:

    User-added image

  21. Bind the Session policy to the VPN virtual server.

    Go to NetScaler Gateway virtual server > Policy. Choose the required session policy (in this example Session_Policy) from the drop-down list.

  22. If Split Tunnel was configured to ON, you should configure the Intranet Applications you would like the users to access when connected to the VPN. Go to NetScaler Gateway > Resources > Intranet Applications.

    User-added image

  23. Create a new Intranet Application. Select Transparent for FullVPN with Windows client. Select the protocol you would like to allow (TCP, UDP, or ANY), Destination Type (IP address and Mask, IP address Range, or Hostname).

    User-added image

  24. There is no full VPN support for for iOS and Android apps.

    Set a new policy for Citrix VPN on iOS and Android using following expression:


    User-added image

  25. Bind the Intranet Applications created at the USER/GROUP/VSERVER level as required.

Additional Parameters

The following are some of the parameters we can configure and a brief description of each:

Split Tunnel

Split Tunnel Off

When split tunnel is set to off, the NetScaler Gateway Plug-in captures all network traffic originating from a user device and sends the traffic through the VPN tunnel to NetScaler Gateway. In other words, the VPN client establishes a default route from the client PC pointing to the NetScaler Gateway VIP, meaning that all the traffic needs to be sent through the tunnel to get to the destination. Since all the traffic is going to be sent through the tunnel, authorization policies must determine whether the traffic is allowed to pass through to internal network resources or be denied.

While set to “off”, all traffic is going through the tunnel including Standard Web traffic to websites. If the goal is to monitor and control this web traffic then we should forward these requests to an external Proxy using NetScaler. User devices can connect through a proxy server for access to internal networks as well.

NetScaler Gateway supports the HTTP, SSL, FTP, and SOCKS protocols. To enable proxy support for user connections, you must specify these settings on NetScaler Gateway. You can specify the IP address and port used by the proxy server on NetScaler Gateway. The proxy server is used as a forward proxy for all further connections to the internal network.

For more information review the following links:

Enabling Proxy Support for User Connections

Split Tunnel OFF

Split Tunnel ON

You can enable split tunneling to prevent the NetScaler Gateway Plug-in from sending unnecessary network traffic to NetScaler Gateway. If split tunnel is enabled, the NetScaler Gateway Plug-in sends only traffic destined for networks protected (intranet applications) by NetScaler Gateway through the VPN tunnel. The NetScaler Gateway Plug-in does not send network traffic destined for unprotected networks to NetScaler Gateway. When the NetScaler Gateway Plug-in starts, it obtains the list of intranet applications from NetScaler Gateway and establishes a route for each subnet defined on the intranet application tab in the client PC. The NetScaler Gateway Plug-in examines all packets transmitted from the user device and compares the addresses within the packets to the list of intranet applications (routing table created when the VPN connection was started). If the destination address in the packet is within one of the intranet applications, the NetScaler Gateway Plug-in sends the packet through the VPN tunnel to NetScaler Gateway. If the destination address is not in a defined intranet application, the packet is not encrypted and the user device then routes the packet appropriately using the default routing originally defined on the client PC. “When you enable split tunneling, intranet applications define the network traffic that is intercepted and send through the tunnel”.

For more information review the following link:

Split Tunnel ON

Reverse Split Tunnel

NetScaler Gateway also supports reverse split tunneling, which defines the network traffic that NetScaler Gateway does not intercept. If you set split tunneling to reverse, intranet applications define the network traffic that NetScaler Gateway does not intercept. When you enable reverse split tunneling, all network traffic directed to internal IP addresses bypasses the VPN tunnel, while other traffic goes through NetScaler Gateway. Reverse split tunneling can be used to log all non-local LAN traffic. For example, if users have a home wireless network and are logged on with the NetScaler Gateway Plug-in, NetScaler Gateway does not intercept network traffic destined to a printer or another device within the wireless network.

To configure split tunneling

  1. From the Configuration Utility navigate to Configuration tab > NetScaler Gateway > Policies > Session.
  2. In the details pane, on the Profiles tab, select a profile and then click Open.
  3. On the Client Experience tab, next to Split Tunnel, select Global Override, select an option and then click OK twice.

Configuring Split Tunneling and Authorization

When planning your NetScaler Gateway deployment, it is important to consider split tunneling and the default authorization action and authorization policies.

For example, you have an authorization policy that allows access to a network resource. You have split tunneling set to ON and you do not configure intranet applications to send network traffic through NetScaler Gateway. When NetScaler Gateway has this type of configuration, access to the resource is allowed, but users cannot access the resource.

If the authorization policy denies access to a network resource, you have split tunneling set to ON, and intranet applications are configured to route network traffic through NetScaler Gateway, the NetScaler Gateway Plug-in sends traffic to NetScaler Gateway, but access to the resource is denied.

For more information about authorization policies, review the following:

Configuring Authorization

Configuring Authorization Policies

Setting Default Global Authorization

To configure network access to internal network resources

  1. In the configuration utility, on the Configuration tab > NetScaler Gateway > Resources > Intranet Applications.
  2. In the details pane, click Add.
  3. Complete the parameters for allowing network access, click Create and then click Close.

Intranet IPs

No Intranet IPs

When we do not setup intranet IPs for the VPN users, the user sends the traffic to the NetScaler Gateway VIP and then from there the NetScaler builds a new packet to the intranet application resource located on the internal LAN. This new packet is going to be sourced from the SNIP toward the intranet application. From here, the intranet application gets the packet, processes it and then attempts to reply back to the source of that packet (the SNIP in this case). The SNIP get the packet and send the reply back to the client who made the request.

For more information review the following link:

No Intranet IPs

Intranet IPs

When Intranet IP are being used, the user sends the traffic to the NetScaler Gateway VIP and then from there the NetScaler is going to map the client IP into one of the configured INTRANET IPs from the Pool. Be advised that the NetScaler is going to own the Intranet IP pool and for this reason these ranges shouldn’t be used in the internal network. The NetScaler will assign an Intranet IP for the incoming VPN connections like a DHCP server would do. The NetScaler builds a new packet to the intranet application located on the LAN the user would access. This new packet is going to be sourced from one of the Intranet IPs toward the intranet application. From here, intranet applications gets the packet, process it and then attempt to reply back to the source of that packet (the INTRANET IP). In this case the reply packet needs to be routed back to the NetScaler, where the INTRANET IPs are located (Remember, the NetScaler owns the Intranet IPs subnets). To accomplish this task, the network administrator should have a route to the INTRANET IP, pointing to one of the SNIPs (it would be recommended to point the traffic back to the SNIP that holds the route from which the packet leaves the NetScaler the first time to avoid any asymmetric traffic).

For more information review the following link:

Intranet IPs

Configuring Name Service Resolution

During installation of NetScaler Gateway, you can use the NetScaler Gateway wizard to configure additional settings, including name service providers. The name service providers translate the fully qualified domain name (FQDN) to an IP address. In the NetScaler Gateway wizard, you can configure a DNS or WINS server, set the priority of the DNS lookup, and the number of times to retry the connection to the server.

When you run the NetScaler Gateway wizard, you can add a DNS server at that time. You can add additional DNS servers and a WINS server to NetScaler Gateway by using a session profile. You can then direct users and groups to connect to a name resolution server that is different from the one you originally used the wizard to configure.

Before configuring an additional DNS server on NetScaler Gateway, create a virtual server that acts as a DNS server for name resolution.

To add a DNS or WINS server within a session profile

  1. In the configuration utility, configuration tab > NetScaler Gateway > Policies > Session.
  2. In the details pane, on the Profiles tab, select a profile and then click Open.
  3. On the Network Configuration tab, do one of the following:
    • To configure a DNS server, next to DNS Virtual Server, click Override Global, select the server and then click OK.
    • To configure a WINS server, next to WINS Server IP, click Override Global, type the IP address and then click OK.


  • No Related Posts

How to Configure LDAP Authentication on NetScaler Appliance for Management Purposes

Overview diagram of configuring LDAP Authentication on the NetScaler

User-added image

NetScaler GUI

  1. Creating LDAP Server
  2. Creating LDAP Policy
  3. Binding LDAP Policy
  4. Assign privileges to your administrators
    1. Scenario A. Applying Privileges on Group
    2. Scenario B. Applying Privileges Individually for Each User

To configure user logon on a NetScaler appliance (for Management purposes) complete the following tasks:

1. Creating LDAP Server

Add an Authentication Server from System > Authentication > LDAP > Server tab and complete the required fields as shown in the example screenshot anc click Create.

LDAP Server configuration

In this example, we limit the access to the NetScaler by filtering the authentication on the user group membership by setting Search Filter. Value used for this example is – &(memberof=CN=NSG_Admin,OU=AdminGroups,DC=Citrix,DC=lab)

As search filter is configured, everyone who are not member of NSG_Admin group will not be able to log on to the NetScaler Management interface.

Back to top

2. Creating LDAP Policy

Add an Authentication policy from System > Authentication > LDAP > Policies tab. Enter a name for the policy, select the server that you created in Step 1 from the drop-down menu and in the Expression text field, type ns_true and click Create:

LDAP Policy configuration.

Back to top

3. Binding LDAP Policy

Go to Global Bindings > Add Binding > Click to Select field and choose the newly created policy (in this example, pol_LDAPmgmt). Choose a priority accordingly (the lower the number, the higher the priority), click on Bind and then Done. A green checkmark will show under Globally Bound:

LDAP authentication policy globally bound

Back to top

4. Assign privileges to your administrators

You can choose between two options :

  • Adding a new group under NetScaler and assigning the same access rights for every user who are members of this group.
  • Creating each user administrator account and assign for each of them the correct rights.

Back to top

Scenario A. Applying Privileges on Group

In this scenario, users who are member of you Active Directory group configured in the search filter (in this example, NSG_Admin) will be able to connect to the NetScaler Management interface and will have superuser command policy.

Add a new system group to the NetScaler, under System > User Administration > Groups.This will define the Active Directory group that the users are members of and the Command Policy level that should be associated to the account when logging in. Then, click Create.

Note: The Group Name has to match the Active Directory record exactly.

System Administrators Group

Adding New Administrators

Just add the new administrator users to the LDAP group you configured on the search filter in Step 1.

Back to top

Scenario B. Applying Privileges Individually for Each User

In this scenario, users who are member of your Active Directory group configured in the search filter (in this example, NSG_Admin) will be able to connect to the NetScaler Management interface but will not have any privileges until you create the specific user on NetScaler and bind command policy to it. This scenario allow you to leverage the administrative right per users.

Add a new system user to the NetScaler, under System > User Administration > Users.This will define the Active Directory user and the Command Policy level that should be associated to the account when logging in. Be sure Enable External Authentication is checked. Then, click Continue.

Notes: The username has to match the existing user Active Directory record exactly.

When you add a user to NetScaler for external authentication, you need to provide a password in case of the external authentication would not be available. For the external authentication to work properly, the internal password must not match the user account LDAP password.

User creation 1-2

Under Bindings, click on System Command Policy. Depending on your needs, choose the right Command Policy to apply to your user. Bind the desired command policy and click Close and then Done.

Command policy binding

Adding New Administrators

Add the new administrator users to the LDAP group you configured on the search filter in Step 1.

Create the new system user in NetScaler and assign the correct command policy.

Back to top

Use the following commands as a guide to configure logon for a group with Superuser privileges on the NetScaler appliance CLI:

# 1. Creating LDAP Serveradd authentication ldapAction LDAP_mgmt -serverIP myAD.citrix.lab -serverPort 636 -ldapBase "DC=citrix,DC=lab" -ldapBindDn readonly@citrix.lab -ldapBindDnPassword -ldapLoginName sAMAccountName -searchFilter "&(memberof=CN=NSG_Admin,OU=AdminGroups,DC=citrix,DC=lab)" -groupAttrName memberOf# 2. Creating LDAP Policyadd authentication ldapPolicy pol_LDAPmgmt ns_true LDAP_mgmt# 3. Binding LDAP Policy bind system global pol_LDAPmgmt -priority 110# 4. Assign privileges to your administrators### Scenario A. Applying privileges on the groupadd system group NSG_Adminbind system group NSG_Admin -policyName superuser 100### Scenario B. Applying the privileges individually for each usersadd system user admyoabind system user admyoa superuser 100


  • No Related Posts

“You are Not Authorized to use this client” error while signing into ShareFile Drive Mapper

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.


  • No Related Posts

Print to ShareFile

Print to ShareFile also allows you to send a file for signature using RightSignature, or Fax with ShareFile via SFax.


  • No Related Posts

How to get the Add-In for Outlook – Web

You should go through the Outlook app to get to the store / add-ins page instead of going to the store outside of the app. This is what Microsoft also recommends:

In Outlook on the Web, access the Manage Integrations / Add-Ins menu in Settings. (Note: This may be an Apps button in your New Mail menu.)

User-added image

User-added image

Search for ShareFile and you will find our add-in. From the ShareFile add-in page, switch the toggle from Off to On.

User-added image

User-added image

Now you can start using ShareFile in Outlook on the Web! Simply open a new message in Outlook and you’ll see the ShareFile button in your new message window. Click on that button to start sharing and requesting files.

User-added image

User-added image

For more information on using the add-in, as well as the latest updates, please refer to our Knowledge article at


  • No Related Posts

How to Create a Folder and Modify Folder Options

Create a folder to organize the files stored on your account. You have granular control of who can access files stored in a given folder, including the ability to control download and upload permissions.

If you’re looking for information on Folder Options, click here.

Permission Requirements

In order to create a subfolder, you must have upload permissions in the parent folder. To create a folder:

  1. Access the green Action Button and select Create Folder.
  2. Enter a folder name, description (optional) and a drop-down menu to add users.
  3. If you would like to allow other users to access this folder with specific permissions, click the checkbox for Add People to Folder. Leave this box unchecked if you do not wish to add users at this time, or if you plan to add users at a later date.
  4. ShareFile does not allow you to have duplicate folder names on the root of the account or in the same parent folder.
  5. Click Create Folder.
  6. To create a subfolder, repeat the above steps.
User-added image

Share Your Folder with Others

Click here for information on how to share your folder with other users.

Create Folders in Bulk

The Bulk Folder Upload is designed for customers who want each of their clients to have their own folder within their account. The Bulk Folder Upload will add your client users to your ShareFile account, provide them with login information, and create folders for each client to access.

Click here to download the Bulk Folder Upload template. Please enter the following information in the provided columns:

  1. EmailAddress
  2. FirstName
  3. LastName
  4. Company
  5. Password (if left blank, the client will receive a randomly generated password)
  6. FolderName

When filling out the spreadsheet do not change the spreadsheet name or any of the column titles. This will cause an error in the upload.

Send the completed spreadsheet to ShareFile Customer Support with the following information:

  • Which root-level folder the new client folders will be created under
  • Who will be the Owner of the new Folders (either you or another Employee)
  • Which permissions and settings the client users should have. These include:
    • Ability to change their passwords
    • Add the user to the company Shared Address Book
    • Users can download from their folders
    • Users can upload from their folders
    • Can delete
    • Users are Folder Administrators
    • Users can receive download notifications
    • Users can receive upload notifications

You will also need to let ShareFile Customer Care know if the Welcome Email should be customized and if you want this sent out to all your new users at one time. Alternatively, you may send out the Welcome Email manually through the Manage Users link in your account.

You may submit the above request directly by clicking here:

Folder Creator vs Folder Owner

When a folder is created by a user, the creator will be listed as the Creator of the folder when viewing the folder as an individual item. Once you have navigated within that folder, you can view the current folder owner in the Folder Access pane at the bottom of the page. If a user created a folder, but has been removed from the account, that user will still be listed as the Folder Creator. However, Folder Owner will be changed when the deleted user’s folders and files have been reassigned to another user.

(The Creator Column denotes the original folder creator)

User-added image

(The current owner of the folder is denoted in the Folder Access pane)

User-added image

Available Folder Options

Folder Options can be accessed in the More Options menu when viewing a folder.

File Retention Policy

The File Retention Policy determines how long files are retained in a specific folder. You can set a default file retention policy for all newly created folders if you are an administrator for the account. To set a policy, click into the root level folder you would like to set the policy on. You have the option to have files deleted 1 day, 7 days, 14 days, 30 days, 60 days, 90 days, 6 months, 1 year or 2 years after they are uploaded.

This applies to all files in the root level folder, as well as all files within the subfolders.

Account-wide default settings can be configured by an account Admin in the Advanced Preferences menu. When changing the account-wide setting, the new setting will only apply to newly created folders and not previous folders in your account.

Will I be notified before my policy deletes my files?

Before files or folders are removed, a warning message is shown in the following locations:

User-added image
User-added image

Retention Policy FAQ

If you set both a folder expiration date and a file retention policy, the most restrictive policy will take effect.

For example, if the folder expiration date is set to one week from today’s date and the file retention policy is set to 30 days then the folders and all its contents will be deleted under the one week policy.

When moving files and folders, they will inherit the new parent/root level folder’s policy.

For example, if you move a file from your File Box into a folder with a retention policy of 90 days, then the file will inherit a expiration date of 90 days from its uploaded date.

When setting a new policy or changing a policy on an existing folder there will be an automatic 7 day warning.

For example, if you uploaded a file six months ago and today set a file retention policy for 30 days, then the file will be set to delete in 7 days to avoid any accidental deletions.

Will the File Retention Policy delete all subfolders?

No – the files contained within the folders will be removed, but the empty folder will remain. To have folders automatically removed, try using a Folder Expiration Date lower down in this article.

What happens to files removed by retention policy?

Files and folders deleted by a retention policy are permanently removed. Files removed by retention policy cannot be restored from the Recycle Bin.

It is possible to customize the retention policy of the Personal Folders section of your account via the Edit Folder Options link. Any changes made to the File Retention policy of your Personal Folders will supersede account-wide File Retention policy settings. If you do not want your users to have this ability, please contact ShareFile Customer Support to have this setting disabled.

Folder Expiration Date

Items deleted via Expiration Policy cannot be restored from the Recycle Bin. To set a specific date on which a folder and all files contained within it are deleted:

  1. Access the folder you wish to delete.
  2. Access More Options beside the folder name and select Advanced Folder Settings.
  3. Under Folder Expiration Date, use the calendar or date format to specify the expiration date.
  4. Save.

Sort Files in a Folder

Files can be sorted by clicking on any header within the folder. The options are by Title, Mb, Uploaded date, or Creator. Folder Admins can change the default sort order in the Advanced Folder Options menu. Account Administrators can set account-wide sorting defaults in the Admin Settings section of their account, in Advanced Preferences.


  • No Related Posts

ShareFile Security FAQ

Citrix ShareFile stores your files in secure, SSAE 16 audited datacenters. Our privately managed server farm is equipped with the latest firewalls and Internet security updates to help keep your data completely safe, and physical security measures from fingerprint scanners to ballistic-proof exteriors protect against theft and natural disaster. Click here for additional information on ShareFile Security and Compliance.


Encryption is a method for transforming data during either transfer or storage so that it requires permission to access. The data is transformed using an algorithm that generates a decryption key that must be used in order to open the data. When transferring sensitive files, it is important to use encryption to ensure that any outside sources cannot read the data contained within the files. All file transfers through the ShareFile service are encrypted using 256-bit SSL (Secure Sockets Layer). This is the same security used by banks and many e-commerce sites such as SSL works by establishing a private connection and each end of the connection is authenticated before transfer begins. Data traveling between these endpoints can only be decrypted by the intended recipient by using unique decryption keys. Files uploaded to ShareFile servers are saved with 256-bit AES encryption. Each file saved in our system has a unique encryption key. When a file is uploaded, it is encrypted before being copied to its permanent storage location. Downloaded files are decrypted before their contents are sent to your browser. The file encryption keys are not stored on the same server with the files themselves, ensuring that someone with physical access to our storage servers has no access to the files contained on their hard drives.

Secure Uploads and Downloads

Files are uploaded and downloaded between the end user and the storage tier directly over an Secure Socket Layer (SSL) or Transport Layer Security (TLS) encrypted segment using high grade encryption. ShareFile supports TLS 1.0, 1.1 and 1.2. These are the same encryption protocols and algorithms used by e-commerce services and online banking. On Professional, Corporate, Enterprise, and VDR plans, files are stored at rest using the Advanced Encryption Standard (AES) with a 256 bit key. All uploaded files not pre-Internet encrypted, encrypted by the end user prior to upload, are scanned for known malware including viruses, Trojans, and worms. Files that reflect a known malware signature are flagged with a Red X and end users are subsequently prompted prior to downloading a suspicious file. Additional customer account preferences are available that would prevent end users from downloading a file until it’s been scanned and from downloading a file that is suspicious. However, note that these stricter options may affect the overall usability of the ShareFile service.

Secure User Access

Each user on an account is given a unique username and password to login. Passwords are hashed so that not even ShareFile employees can access this information. If a user enters an incorrect password five times in a row, the system will lock that user account for five minutes before they can login again. ShareFile account users will only see folders where they have been granted permissions and are listed in the Folder Access list. Folders where they have not been granted permissions will be invisible to them in the folder view and on any reports that they can access. By default, client users do not have access to information about other users on the account. All activity in an account is logged and available to employee users who have access to the Reporting section. Reports can include activities (such as logins, downloads, deletions, etc.), storage contents and user access audits. The policy to save data older than 90 days for Corporate and Corporate Gold accounts was put in place fall 2009. Activity before this time may not be available.

ShareFile Authentication

When logging into the Citrix ShareFile web application, you provide your email address and password at your account landing page. After a period of time your session will timeout and you will be prompted to login again. ShareFile Enterprise customers can opt to integrate with Active Directory and redirect this login process. Apps built using the ShareFile API (ShareFile Desktop Apps, ShareFile Mobile Apps, and third-party apps) are not allowed to capture or store the user’s credentials and typically only need limited access, so the ShareFile API leverages an industry standard protocol called oAuth 2.0. According to the oAuth community site, oAuth is “an open protocol to allow secure authorization in a simple and stand method from web, mobile and desktop apps.” For more on oAuth see the community site and the IETF specification. ShareFile stores an oAuth token instead of your credentials and then uses that token to access the ShareFile API instead of your credentials. This allows a tool like ShareFile Sync to run in the background happily keeping all your files in sync without needing to prompt you for a password every time a change is made. This token has limited access to ShareFile only, so it is less of a security risk than storing your credentials. The way authenticating with oAuth tokens works is that ShareFile first prompts you for your email address and password using a secure web form that is similar to the one used when you login to the web application. If using AD integration, we redirect you to configured IdP for the initial authentication. Once you have successfully authenticated, the secure web form provides the application with an oAuth token that is securely stored in the application. All subsequent access is done using this token you will not be asked for your credentials again until the token expires. The expiration for this token can be set by ShareFile administrators in Advanced Preferences. If you lose access to the device where the ShareFile application was installed, you can manually expire the oAuth token in the ShareFile web application under My Settings. Administrators can also expire an oAuth token on behalf of a user in that user’s profile page in Manage Users. Disabling a user will also expire all tokens for that user. Since these tokens act as a replacement for your password, they are not tied to the password expiration policy (either within ShareFile or to an AD password expiration). You will not need to reauthenticate with a tool when you change your password, but only when the oAuth token expires.

Servers and Storage

ShareFile accounts are stored on servers maintained by Amazon Web Services in multiple locations across the globe. An account’s data is generally stored at the server location that is geographically nearest to the administrator. All data centers containing ShareFile servers are SSAE 16 certified, proving that they meet high standards for security. Physical access is tightly controlled, and double verification is required to proceed to any areas housing data. Our servers are firewall protected and regularly updated to ensure that all of the latest security patches and updates are in place. ShareFile has established operational procedures to maintain the availability of the system and user data, as appropriate and agreed to with users. ShareFile procedures take into account system capacity needs, physical and environmental threats to system resources, and recovery timelines needed to uphold service levels. Servers in the control plane are configured for high availability. Databases automatically fail over to an on-site secondary node, and data is further replicated at a geographically segregated disaster recovery site. Replication delays are monitored and addressed in order to meet recovery point objectives. For Citrix-managed StorageZones, storage infrastructure is hosted with AWS and Microsoft Azure and availability is monitored real time by the network operations group. Customers managing their own StorageZones are responsible for availability, capacity planning and disaster recovery for uploaded data in these StorageZones.

ShareFile Company Policies

All ShareFile employees undergo full background checks and sign our handbook prior to beginning employment with the company. The handbook includes an agreement to maintain the privacy and security of account information. Account information and support functions are accessible only from the IP address of ShareFile’s physical office locations. Company policy prohibits employees from accessing accounts or client data except where they have been expressly granted permission by an account administrator for the purpose of support. Any logins or activity by ShareFile Support will be logged in the account activity reports and available for review by account administrators.

ShareFile Cloud Storage Servers

In order to upload or download from a ShareFile account, you must access data housed in ShareFile cloud storage. If you are given an error while connecting to ShareFile, please contact your company’s technical support.

Network Connections used by ShareFile

ShareFile separates application traffic from file uploads and downloads. ShareFile client applications require access to the SaaS application as well as access to the storage location for their account. The SaaS application is hosted by Citrix and accessed using a customer-specific URL such as or User account settings, business logic and file metadata are handled by the SaaS application—no files are stored within the SaaS application tier. Data Storage services (known as StorageZones) may be managed by Citrix or hosted and managed by customers. Files are stored securely within the data storage tier and accessible only by clients who have authenticated to the SaaS application tier. The ShareFile SaaS application authorizes file operations between authenticated users and the appropriate data storage service. Users must authenticate in order to use ShareFile. Authentication can be performed by ShareFile SaaS application or deferred to a 3rd-party enterprise identity provider using SAML. In this article we assume that SAML is used for enterprise authentication. To support accounts that use Citrix-managed storage zones, Citrix manages a variety of storage servers that execute in Amazon or Azure public cloud infrastructure. The list of public cloud servers used for Citrix-managed StorageZones is variable based on your account location, scalability requirements, and other factors, and is subject to change. After successfully authenticating with the SaaS application the client would upload and download files from one of the servers.

Title 21 CFR Part 11

Click here for information on CFR Part 11 compliance.

Reporting a product security vulnerability

To report a reproducible security vulnerability in a Citrix product, including ShareFile, please send the following information to the Citrix Security Response team:

1. Details on the specific vulnerability, including the detailed setup and reproduction steps used to demonstrate the issue.

2. The versions and any associated configuration details of the components that are thought to be impacted.

The above details should be sent to the Citrix security response team using the email address. Citrix recommends that vulnerability reports are encrypted using the PGP public key (fingerprint: 99FE 91C1 51A0 F7D5 4839 6044 351D 173A 623E 751C) attached to this document. Please note that the security response email address should only be used to report specific security vulnerabilities.

For inquiries about the privacy of your information or concerns regarding illegitimate email notifications or scam / phishing attempts, please contact ShareFile via email at, or calling 1-800-441-3453. To reach our Global Customer Support department, you may submit requests directly by clicking here:

Click here to view ShareFile’s Privacy Policy.

XenMobile How Do I


  • No Related Posts

ShareFile Outlook Plugin Known Issues

The ShareFile Outlook Plugin is not supported with any 3rd party service or add-in and cannot be guaranteed to function properly when used in conjunction with other add-ins. This includes (but is not limited to) meta-data scrubbers, SmartVault, iTunes, Grammarly, NETDocuments, and other add-ins. If you are using an antivirus program or add-in such as Norton, Kaspersky or McAfee, please take steps to add ShareFile as an exception to your apps. Metadata Scrubbers may interfere with the ShareFile Plugin for Microsoft Outlook. It is recommended that any metadata scrubber add-ons be disabled in order for the ShareFile Plugin to function properly. Likewise, Exchange Alternatives (such as Kerio Connector) are not compatible with the ShareFile Plugin and may block the plugin from functioning correctly. ShareFile recommends disabling these add-ons.


  • No Related Posts