Citrix Workspace

Citrix Product Documentation | https://docs.citrix.com December 20, 2024

Citrix Workspace

Contents

Citrix Workspace Overview 3

What’s New 6

What’s new in Workspace platform 7

What’s new in Workspace user interface (UI) 15

What’s new in Global App Configuration service 44

Get started with Citrix Workspace 57

System Requirements 61

Deliver DaaS and Virtual Apps and Desktops with Citrix Workspace 63

User Access 65

Activity Manager 68

Citrix Workspace web extension 79

Install Citrix Workspace web extension 82

Workspace offline mode prompt 85

Configure access to workspaces 87

Configure a custom domain 90

Configure Workspace URLs 110

Configure Authentication 125

Customize your workspace experience 135

Customize the appearance of workspaces 136

Customize workspace interactions 142

Customize security and privacy policies 148

Customize store access 160

Integrate services into workspaces 169

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 1

Citrix Workspace

Optimize DaaS in Citrix Workspace 172

Aggregate Virtual Apps and Desktops in workspaces 174

Optimize connectivity to workspaces with Direct Workload Connection 184

Service continuity 194

Enable single sign‑on for workspaces with Citrix Federated Authentication Service 217

Configure Citrix Workspace app using Global App Configuration service 231

Configure settings for cloud stores 239

Configure settings for on‑premises stores 244

Test channel configuration 254

Manage Citrix Workspace app versions 257

Manage plug‑ins using Global App Configuration service 266

Manage settings for user group using configuration profile 276

Clone settings across stores, channels, and configuration profiles 281

Citrix Workspace security overview 286

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 2

Citrix Workspace

Citrix Workspace Overview

August 9, 2024

Citrix Workspace is a service that provides secure access to your virtual apps, desktops, web and SaaS
apps from a web browser or Citrix Workspace app.

Citrix Workspace is a cloud service managed by Citrix. If you wish to deploy this functionality in your
own environment on‑premise then see StoreFront.

How Citrix Workspace works

Citrix Workspace aggregates and integrates Citrix Cloud services, enabling unified access to all the
resources available to your end‑users (subscribers) in one resource location. End users of Citrix Work‑
space are called subscribers because you “subscribe”employees to the services you make available
to them through their workspaces.

For an overview of the services available through Citrix Workspace, see Cloud‑hosted services through
Citrix Workspace.

Subscribers see a complete, unified view of each resource you make available to them through these
services in the Citrix Workspace user interface (UI). For more information on the subscriber experience
of the Citrix Workspace UI, see Manage your workspace experience.

Subscribers access the services that you configure and enable in Workspace Configuration either
through the browser with the Workspace URL, or through the Citrix Workspace app, which replaces
Citrix Receiver. For more information on how users access their workspaces, visit Workspace access.

Subscribers authenticate to their workspaces using the primary identity provider that you configure
in Identity and Access Management and then enable in Workspace Configuration. The subscriber
is then automatically authenticated to each cloud‑hosted service purchased for Citrix Workspace. It
helps increase security and reduces usability challenges. For more information on configuring Work‑
space authentication, visit Configure authentication.

Get started overview

Citrix Workspace is set up through the Citrix Cloud console, in which there’s an Identity and Access
Management administration screen and a Citrix Workspace management interface called Workspace
Configuration. Getting started with Citrix Workspace involves the following tasks.

1. Verify that you’re set up to implement Citrix Workspace in the Citrix Cloud console, where you:

• Onboard to cloud‑based services.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 3

Citrix Workspace

• Assemble your deployment team.

• Configure your infrastructure and resources.

2. Define identity providers and accounts in Identity and Access Management for:

• Citrix Cloud administrators.

• Citrix Workspace subscribers.

3. Configure your workspaces in Workspace Configuration, including:

• Internal and external access.

• Integrating services that you configured in the Citrix Cloud console into your workspaces.
• Customizing the workspace appearance and the subscriber experience once they sign in.

Beyond this basic setup, you have other security, privacy, and optimization options to choose from.
The most common are:

• Configure single sign‑on (SSO) to DaaS in Citrix Workspace with the Citrix Federated Authenti‑
cation Service (FAS).

Note

FAS is typically adopted if you’re using a federated authentication method, such as Okta or Azure
Active Directory.

For an overview of the tasks and the information needed as you progress in your deployment, see Get
started with Citrix Workspace. Each step guides you through the Citrix Cloud console for tasks like con‑
figuring your identity provider. The walkthrough also provides quick access to technical information
needed for assembling your deployment team, and configuring your infrastructure and resources.

End user access

End‑users connect to workspace from their devices using either Citrix Workspace app or their web
browser. For more information, see User access

Cloud‑hosted services through Citrix Workspace

Subscribers use Citrix Workspace to access the resources provided by cloud‑hosted services. Existing
Citrix Cloud customers can transition to the full digital workspace experience by taking these services
with them into the Citrix Workspace solution.
This section describes the main cloud‑hosted services that can be enabled for Citrix Workspace, de‑
pending on your entitlements. For information on how to configure and enable access to your pur‑
chased services, visit Get started with Citrix Workspace. For a complete description of each Citrix
Workspace edition and included features, see the Citrix Workspace Feature Matrix.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 4

Citrix Workspace

Citrix DaaS

To set up the Citrix DaaS, follow the steps outlined in Citrix DaaS.
If you’re an on‑premises Virtual Apps and Desktops customer, there are different options for accessing
your resources through Citrix Workspace. The option you choose depends on two factors. The first
factor is whether you want to migrate fully to the cloud or adopt a hybrid solution. The second factor is
whether you plan to allow external access. For more information on these options, visit Deliver DaaS
with Citrix Workspace.

SaaS and Web apps, secured with the Citrix Secure Private Access service

Citrix Secure Private Access provides single sign‑on (SSO) to Web and SaaS apps that are integrated
into Workspace. The service also allows you to manage access permissions and control policies. It
helps sanction appropriate levels of access to enterprise‑hosted web apps based on the subscriber’s
credentials.
For more information on using Citrix Secure Private Access service, visit Tech Brief: Secure Private
Access.

Citrix Gateway service

The Citrix Gateway service delivers connectivity to your Virtual Apps and Desktops, web and SaaS apps
based on an advanced policy infrastructure.
Follow the steps to set up the Citrix Gateway service, then configure Workspace to use it to provide
remote access to your resources.

Citrix Remote Browser Isolation service

Integrate Citrix Remote Browser Isolation service into your workspaces to isolate web browsing
and protect the corporate network from browser‑based attacks. When subscribers navigate to the
Workspace URL, their published browsers are shown, along with other apps and desktops that are
configured in other Citrix Cloud services.
To give subscribers access to a remote isolated browser, set up Remote Browser Isolation. After that,
test and share the Workspace URL with your subscribers.

Citrix Analytics

The Citrix Analytics service gathers and provides insights on all your Citrix Workspace subscribers.
There are different Citrix Analytics offerings available to you depending on your entitlements. The of‑

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 5

Citrix Workspace

ferings include Citrix Analytics for Security, Citrix Analytics for Performance, and Citrix Analytics
(Usage). To learn more about these services, visit Citrix Analytics.

What’s New

October 26, 2023

Citrix aims to deliver new features and updates to Citrix Workspace customers when they are avail‑
able. Initial releases are applied to Citrix internal sites and are gradually applied to customer environ‑
ments.
For details about the Service Level Agreement for cloud scale and service availability, see the Citrix
Cloud Service Level Agreement. To monitor service interruptions and scheduled maintenance, see
the Service Health Dashboard.

What’s new in Citrix Workspace

Stay informed about the latest enhancements and updates in Citrix Workspace to use the full potential
of our technology. Maximize your user’s productivity and enhance the quality of their interactions by
incorporating timely updates from Citrix Workspace.

• What’s new in Workspace Platform

• What’s new in Workspace User Interface
• What’s new in Global App Configuration Service

Citrix Workspace app on various platforms

Learn more about the new features and enhancements in Citrix Workspace App for your favorite
platforms using the following links.

• Android
• ChromeOS
• HTML5
• iOS
• Linux
• Mac
• Microsoft Teams
• Windows
• Windows Store

Also, see what’s new in Citrix Enterprise Browser.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 6

Citrix Workspace

What’s new in Workspace platform

July 24, 2024

Citrix aims to deliver new features and updates to Citrix Workspace customers when they’re available.
New releases provide more value, so there’s no reason to delay updates.

This process is transparent to you. Initial updates are applied to Citrix internal sites only and are then
applied to customer environments gradually. Delivering updates incrementally maximizes product
quality and availability.

For details about the Service Level Agreement for cloud scale and service availability, see the Citrix
Cloud Service Level Agreement. To monitor service interruptions and scheduled maintenance, see
the Service Health Dashboard.

July 2024

Configure store names for your store URL

Administrators can now add custom store names while adding stores to Citrix Workspace app. Store
names make identifying and distinguishing the stores easier for end users. Previously, in a multiple
Workspace URL setup (subdomains of cloud.com), all the stores would be called “Store”, with an au‑
tomatically generated numeric suffix. For example, Store 1, Store 2, Store 3, and so on. This arrange‑
ment made it difficult for the administrators and end users to associate the store name with the store
URLs.

With this feature, admins can give the stores a short name that end users can recognize. In addition,
admins have the capability to enable or disable the ability for end users to modify the store name on
their Citrix Workspace app.

For more information, see Configure store names for your store URL.

Feb 2024

Create multiple Workspace URLs ‑ General Availability (GA)

The multiple Workspace URL feature is now generally available for all users. You can now create mul‑
tiple Workspace URLs (subdomains of cloud.com) and use these URLs as policy inputs. For example,
you can configure different URLs for different subsidiaries or divisions within your organization. Each
of these URLs can have different branding, authentication methods, or desktops and apps.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 7

Citrix Workspace

Note:

You can create a maximum of 10 URLs for your Workspace.

Each store is accessible by a unique URL can differ in the following aspects:

• Branding of the UI (post login)

• Apps and desktops
• Authentication configuration (such as different identity providers)

For more information, see Configure multiple Workspace URLs.

Dec 2023

Create multiple Workspace URLs (Technical Preview)

You can now create multiple Workspace URLs (subdomains of cloud.com) and use these URLs as pol‑
icy inputs. For example, you can configure different URLs for different subsidiaries or divisions within
your organization. Each of these URLs can have different branding, authentication methods, or desk‑
tops and apps.

Note:

You can create a maximum of 10 URLs for your Workspace.

Each store is accessible by a unique URL can differ in the following aspects:

• Branding of the UI (post login)

• Apps and desktops
• Authentication configuration (such as different identity providers)

For more information, see Configure Workspace URLs.

Nov 2023

Configure a custom domain ‑ General Availability

The Custom Domain feature is now generally available. You can configure a custom domain for your
workspace, which allows you to use a domain of your choice to access your Citrix Workspace store.
You can then use this domain in place of your assigned cloud.com domain for access from both a web
browser and Citrix Workspace applications. For more information, see Configure a custom domain.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 8

Citrix Workspace

Aug 2023

Add your own TLS certificate for custom domain (Preview)

You can now upload your own TLS certificate for authentication while configuring a custom Workspace
URL. Before uploading a certificate, ensure that the certificate fulfills the following conditions.

• It should be PEM encoded.

• It should remain valid for at least next 30 days.
• It should be used exclusively for custom Workspace URL, wildcard certificates are not accept‑
able.
• The common name of the certificate should match the custom domain.
• SANs on the certificate should be for the custom domain, any additional SANs are not allowed.
• The duration for which the certificate is valid should not exceed 10 years.

To add your certificate, navigate to the Provide a URL page, and select the Add your own certificate
option under Select TLS certificate management preference.

You can then add your certificate on the Add your own certificate page.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 9

Citrix Workspace

For more information, see Adding a custom domain.

Note:

You can provide feedback for this preview feature using the attached Podio form.

May 2023

Configure a custom domain (Preview). You can configure a custom domain for your workspace,
which allows you to use a domain of your choice to access your Citrix Workspace store. You can then
use this domain in place of your assigned cloud.com domain for access from both a web browser and
Citrix Workspace applications. For more information, see Configure a custom domain (Preview).

March 2023

Additional inactivity timeout settings:. You can now enable extra inactivity timeout settings for
both desktop and mobile users of Workspace app. For more information, see Customize security and
privacy policies.

December 2022

Additional send custom announcement configuration option:. You can now set the page place‑
ment when configuring Send custom announcement to either top or bottom. For more information,

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 10

Citrix Workspace

see Customize security and privacy policies.

Support for Traditional Chinese language. Citrix Workspace is now available in the Traditional Chi‑
nese language.

October 2022

Support for Korean language. Citrix Workspace is now available in the Korean language.

Support to customize Citrix Workspace app settings. Administrators can now configure the set‑
tings for Citrix Workspace app for iOS, Android, HTML5, Mac, and Windows platforms using the Global
App Configuration service.

August 2022

Improvements to Workspace launch experience. When a user launches their workspace over web
or browser, a notification is triggered showing the launch status. If the user attempts to close the
browser when a launch is in progress, the user is prompted for confirmation and informed that a ses‑
sion launch is in progress. For more information, see Get started with Citrix Workspace.

June 2022

Support for service continuity with Safari. Citrix Workspace Web extensions make service continu‑
ity available to users who access their apps and desktops through a browser. For more information,
see Service continuity in browser.

May 2022

New configuration option for federated identity provider: Enable or disable your federated iden‑
tity provider to allow your subscribers to be prompted to authenticate when logging in to Workspace.
For more information, see Customize workspace interactions.

Reauthentication period for Workspace app general availability: Reauthentication periods allow
subscribers to stay signed in to Workspace without being prompted to sign in every time they access
their workspace. When signing in through Workspace app, subscribers consent to stay signed in. Sub‑
scribers remain signed in during the reauthentication period as long as they’re using their apps and
desktops. For more information about this feature, see Set a reauthentication period for Citrix Work‑
space app.

Support for service continuity on iOS: Service continuity is now supported for Citrix Workspace app
for iOS in general availability. For more information, see Service continuity.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 11

Citrix Workspace

New error codes for service continuity: New error codes are now available to aid in troubleshooting
failed service continuity connections. For more information, see Service continuity.

March 2022

Support for service continuity on Android and iOS: Service continuity is now supported for Citrix
Workspace app for Android in general availability and Citrix Workspace app for iOS in technical pre‑
view. For more information, see Service continuity.

February 2022

Support for service continuity with Citrix Workspace app for Android (general availability) and
Citrix Workspace app for iOS (technical preview): Service continuity allows users to connect to
their virtual apps and desktops even during outages. It is now supported for Citrix Workspace app
for Android in general availability and Citrix Workspace app for iOS in technical preview. For more
information, see Service continuity.

Send custom announcement and custom sign‑in policy: Two new features are now available for
all customers. These features allow Workspace administrators to display their own post‑login persis‑
tent banner and pre‑login custom message or license agreement in Citrix Workspace app. For more
information, see Customize security and privacy policies.

December 2021

Remove the default, split sign‑in screen for employee and client users of Citrix Content Collab‑
oration: Citrix Workspace now allows you to enable a single sign‑in flow for both client and employee
users. For more information, see Create a unified user sign‑in flow.

Support for service continuity in browser with Citrix Workspace app for Mac: Citrix Workspace
Web extensions make service continuity available to users who access their apps and desktops
through a browser. This feature now is supported on devices running Citrix Workspace app for Mac.
For more information, see Service continuity.

November 2021

Policy‑driven theming: You can create and prioritize Workspace themes, and add each theme to
different user groups in Workspace Configuration. For more information, see Customize the appear‑
ance of workspaces.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 12

Citrix Workspace

October 2021

Electronic signature language support: Electronic signature now offers support for Italian and
Brazilian Portuguese in addition to the following languages: German, French, Spanish, Japanese,
Dutch, and Simplified Chinese. For more information, see RightSignature multi‑language support.

FAS support for multiple resource locations general availability: Citrix Workspace now supports
providing single sign‑on to virtual apps and desktops across multiple resource locations. Also, FAS
servers in one resource location can be designated as primary or secondary to provide failover for FAS
servers in other resource locations. For more information, see Enable single sign‑on for workspaces
with Citrix Federated Authentication Service.

September 2021

Citrix Workspace app for HTML5 introduced to Citrix Workspace: Citrix Workspace app for HTML5
delivers the Citrix Workspace experience in browsers without any installation on the device. For more
information about Citrix Workspace app for HTML5, including new features, visit the Citrix Workspace
app for HTML5 product documentation.

Support for service continuity in browser general availability: Citrix Workspace Web extensions
make service continuity available to users who access their apps and desktops through a browser.
This feature is for Google Chrome and Microsoft Edge on Windows devices. For more information, see
Service continuity in browser.

July 2021

Custom subscriber license agreement policy: You can present subscribers with a custom usage
agreement policy to read and accept before they sign into their Workspace. For more information
about this feature, see Configure a sign‑in policy.

Reauthentication period for Workspace app preview: Reauthentication periods allow subscribers
to stay signed in to Workspace without being prompted to sign in every time they access their work‑
space. When signing in through Workspace app, subscribers consent to stay signed in. Subscribers
remain signed in during the reauthentication period as long as they’re using their apps and desktops.
For more information about this preview feature, see Set a reauthentication period for Citrix Work‑
space app.

Network location configuration through Citrix Cloud: You can now configure network locations
through the Citrix Cloud management console in addition to using the Citrix‑provided PowerShell
script. For more information about this feature, see Optimize connectivity to workspaces with Direct
Workload Connection.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 13

Citrix Workspace

June 2021

FAS support for multiple resource locations preview: Citrix Workspace now supports providing
single sign‑on to virtual apps and desktops across multiple resource locations. FAS servers in one
resource location can be designated as primary or secondary to provide failover for FAS servers in
other resource locations. For more information about this preview feature, see Enable single sign‑on
for workspaces with Citrix Federated Authentication Service.

Support for service continuity in browser technical preview: Citrix Workspace Web extensions
make service continuity available to users who access their apps and desktops through a browser.
This technical preview is for Google Chrome and Microsoft Edge on Windows devices. For more infor‑
mation, see Service continuity in browser.

Service continuity general availability: Service continuity allows users to connect to their virtual
apps and desktops even during outages in Citrix Cloud components or in public and private clouds.
For more information, see Service continuity.

Citrix RightSignature app available: Take advantage of Citrix app, an electronic signature solution
that comes with Workspace Premium and Premium Plus to request e‑signatures on documents on any
device through Citrix Workspace. For more information, see Configure Citrix RightSignature app.

May 2021

Custom themes technical preview: Customizing the appearance of Workspace for subscribers now
supports custom themes that you can assign to different user groups. Create, customize, and prior‑
itize themes so subscribers in those user groups see their appropriate workspace theme when they
sign in. For more information, see Customize the appearance of workspaces.

Electronic signature language support: Electronic signature capability now offers support for the
following languages: German, French, Spanish, Japanese, Dutch, and Simplified Chinese. For more
information, see RightSignature multi‑language support.

February 2021

Account password changes: Subscribers can change their domain password from within Citrix Work‑
space. Administrators can also provide password guidance to subscribers for creating valid complex
passwords in accordance with their organization’s password policy. For more information, see Allow
subscribers to change their account password.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 14

Citrix Workspace

December 2020

Service continuity technical preview: Service continuity allows users to connect to their Citrix DaaS
even during outages in Citrix Cloud components or in public and private clouds. For more information,
see Service continuity.

October 2020

FedRAMP Ready: Citrix Workspace is FedRAMP Ready when deployed in Citrix Cloud Government.
FedRAMP is a program that promotes security standards for cloud services used by US government
organizations. US government organizations that require FedRAMP Ready cloud services can now
use Citrix Workspace and Citrix DaaS services to deliver DaaS. For more information, see Citrix Cloud
Government.

May 2020

Get Started with Citrix Workspace guide: Citrix Workspace now includes a step‑by‑step walk‑
through to help you deliver workspaces quickly to your end‑users. The walkthrough guides you
through the Citrix Cloud console so you can configure an identity provider, add administrators, and
enable workspace authentication and services. For an overview of the tasks and quick access to the
instructions you need, see Get Started with Citrix Workspace.

December 2019

Network Location Service: You can now ensure that users who launch apps and desktops in Work‑
space from within the corporate network are routed directly to their VDAs. This bypasses the gateway
and results in faster DaaS sessions. For more information about this service and setup instructions,
see Optimize connectivity to workspaces with the Network Location Service.

Improvements for Recent and Favorite apps: Recents and Favorites are loaded first in Workspace,
so users can launch their commonly used apps and desktops right away.

What’s new in Workspace user interface (UI)

December 4, 2024

A goal of Citrix is to deliver new features and product updates to customers as and when they are
available. New releases provide more value, so there’s no reason to delay updates.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 15

Citrix Workspace

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites
only, and are then applied to customer environments gradually. Delivering updates incrementally
helps to ensure product quality and to maximize the availability.

It is possible that the updates mentioned in this documentation are being rolled out and are not ac‑
cessible to all customers at the same time.

The following sections list the new features in current and earlier releases for Workspace UI.

Note:

• For more information on the new UI, see New Workspace user interface.
• For more information on Activity Manager, see Activity Manager.

24.49

This release addresses areas that improve overall performance and stability.

Fixed issues

This release addresses areas that improve overall performance and stability.

Known issues

There are no new known issues.

Earlier releases

This section provides information on new features and fixed issues in the earlier releases that we sup‑
port.

24.47

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.46

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 16

Citrix Workspace

24.45

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.43

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.41

Mandate users to authenticate and open apps and desktops only through the native Citrix Work‑
space app (Preview) Administrators can enforce the use of the native Citrix Workspace app, elim‑
inating the option for users to access the Citrix Workspace web client on browsers. This feature is
designed for customers who want to leverage the full benefits of the native app. The native app offers
advantages such as built‑in App Protection service, no browser version compatibility issues, enhanced
security and telemetry for monitoring and troubleshooting.

When the administrators enable this feature, end users see the following webpage when they attempt
to access the web client by entering the store URL in a browser.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 17

Citrix Workspace

Once users click Open Citrix Workspace, the store is automatically added to the native app for an
easier transition from the web client to the native app. This feature is available for Citrix Workspace
app for Windows, Mac, Android, and iOS. For more information on compatible native app versions for
automatic store addition, see Compatible versions of Citrix Workspace app.

Note:

The feature is applicable to cloud stores for all supported browsers.

For more information, see Customize store access.

Reconnect and transfer apps and desktops through Activity Manager Activity Manager intro‑
duces reconnect and transfer resource features. The reconnect feature lets end users easily reconnect
to disconnected apps and desktops in Citrix Workspace app. The transfer feature allows end users to
transfer active sessions from other devices to the current device.

For more information, see Reconnect to disconnected apps and desktops and Transfer your apps and
desktops.

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no known issues in this release.

24.40

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.39

Workspace offline mode prompt: Enhanced design, behavior, and loading Time The Work‑
space offline mode feature is optimized in terms of design, behavior, and loading time. The new
prompt for offline mode is less intrusive as it doesn’t interrupt the ongoing user authentication.
Users can continue with their authentication process when the offline mode option appears. They
can either continue signing in or use offline mode to work and access available apps offline in case
of authentication issues. Additionally, the prompt is movable, allowing users to drag it to see the
contents it was hiding.

Previously, the offline mode prompt appeared in just 30 seconds while user signing in to the store URL,
interrupting the flow. However, the enhanced prompt now waits for 60 seconds before appearing, and

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 18

Citrix Workspace

it can appear on any webpage, including the sign‑in screen, and other redirecting pages. The new
prompt now appears as an optional prompt, allowing users to complete the ongoing authentication
process uninterrupted.

Note:

The feature is enabled by default and is available only for cloud stores.

For more information, see Workspace offline mode prompt

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no known issues in this release.

24.37

Enhanced UI centralized layout The Workspace UI has a better resource alignment, unlike the pre‑
vious layout where resources stretched across the entire width of the screen, the enhanced UI offers
a more visually appealing design by centrally aligning the resources and limiting the display to a max‑
imum of six resources per row. This enhanced UI provides a better user experience, leading to im‑
proved productivity.

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no known issues in this release.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 19

Citrix Workspace

24.36

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.33

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.32

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.31

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.30

Manage installation prompt for Workspace Web extension You can now manage the display of
the installation prompt for the Workspace Web extension. Enabling the prompt allows Workspace
to detect whether the extension is installed on the user’s device when they open Citrix Workspace
from a browser. If the extension isn’t installed, users are prompted to download and install it. Once
users install the extension, it helps to open the apps and desktops in the native Citrix Workspace app
automatically without the intervention of Workspace detection screen. As per your preference, you
can set the prompt as either mandatory or optional. This prompt feature is compatible with Google
Chrome and Microsoft Edge browsers.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 20

Citrix Workspace

When users click the Install button, it redirects the users to the respective browser’s web extension
store, where they can download the Workspace Web extension. The prompt won’t appear next time
once the user downloads and installs the extension. For more information about managing the
prompt, see Launching apps and desktops.

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no known issues in this release.

24.29

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.28

Deprecation of old Workspace UI The old Workspace UI experience is now deprecated. Adminis‑
trators no longer have the option to enable the old UI for end users. The new Workspace UI offers a
better user experience and increases productivity, and it is enabled by default.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 21

Citrix Workspace

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no new known issues.

24.27

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.23

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.22

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.21

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.20

Enhanced search experience The Citrix Workspace app introduces an enhanced search engine fea‑
ture, allowing end users to view the app path alongside search results. This functionality assists end
users in quickly identifying an app’s location. Long app paths are truncated to maintain a clean and
uncluttered search results list. You can see the complete path when hovering the mouse pointer over
the path’s breadcrumb. Additionally, the category name will be highlighted in bold for easy recogni‑
tion if it matches the search input.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 22

Citrix Workspace

Performance improvement Citrix Workspace UI now loads faster than before after the enhance‑
ments in the following areas:

1. Parallelizing user authentication and Workspace UI loading Citrix Workspace UI loads quickly
while the user authentication check runs in the background. Unlike previous Citrix Workspace UI,
the new version stores cache data locally of previous sessions and reuses it for quicker app opening.
Consequently, the app no longer requires users to wait for authentication checks to complete.

Previously, users could access the app only after the authentication checks were complete. This de‑
lay of around 1‑2 seconds has now been rectified, allowing returning users to enter the store url and
start accessing the Workspace UI while the user authentication check runs in the background. If the
user session is found to be not logged in during the background check, the app prompts the user for
authentication to continue the session. Additionally, the app continues to refresh app data in the
background so that this data can be used in subsequent sessions.

2. Caching Workspace UI The Workspace UI now loads from cache, resulting in quicker opening of
the app than before. Additionally, Workspace UI refreshes itself in the background to fetch the latest
version of UI whenever the user minimizes the Workspace app, switches to another browser tab from
Workspace web app tab or reloads the app.

Note:

The performance improvement is applicable for both Citrix Workspace app and Citrix Workspace

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 23

Citrix Workspace

Web app.

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no known issues in this release.

24.19
Hibernate and Resume virtual desktop sessions (Preview)

Note:

This feature is currently available only on cloud stores.

Users can now hibernate their virtual desktop sessions on Citrix Workspace app when not in use and
resume them from where they left off. The hibernate action preserves the entire state of the desktop
session, including the running apps. The feature allows the users to seamlessly resume their sessions
upon signing back again. When resumed, the desktop session launches faster compared to stopped
or deallocated virtual desktops.

Citrix Activity Manager’s Hibernate and Resume feature represents a significant advancement in VDI
management, offering organizations a powerful tool to optimize resource utilization and enhance user
experience. This feature efficiently manages resources, improves user experience, and reduces energy
consumption during hibernation, resulting in significant cost savings.

For more information on configuring this feature on user devices and performing hibernation and
resume operations, see Hibernate and Resume virtual desktop sessions (Preview).

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no known issues in this release.

Workspace Web Extension 24.4.0

Supports Custom domains Starting with version 24.4.0, Workspace Web Extension now fully sup‑
ports the opening of apps and desktops for custom domains on both Microsoft Edge and Google
Chrome browsers. Users can seamlessly access their workspace resources on custom domain URLs,
enhancing productivity and streamlining workflows.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 24

Citrix Workspace

24.18

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.17

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.15

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.14

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.13

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.12

Manage installation prompt for Workspace Web extension (Preview) You can now manage the
display of the installation prompt for the Workspace Web extension. Enabling the prompt allows Work‑
space to detect whether the extension is installed on the user’s device when they open Citrix Work‑
space from a browser. If the extension isn’t installed, users are prompted to download and install
it. Once users install the extension, it helps to open the apps and desktops in the native Citrix Work‑
space app automatically without the intervention of Workspace detection screen. As per your prefer‑
ence, you can set the prompt as either mandatory or optional. This prompt feature is compatible with
Google Chrome and Microsoft Edge browsers.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 25

Citrix Workspace

When users click the Install button, it redirects the users to the respective browser’s web extension
store, where they can download the Workspace Web extension. The prompt won’t appear next time
once the user downloads and installs the extension. For more information about managing the
prompt, see Launching apps and desktops.

Note:

You can sign up for this preview feature using the attached Podio form.

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no known issues in this release.

24.11

Activity Manager has manual refresh option With this release, end users can now manually re‑
fresh the list of items within the Activity Manager for the cloud store, accessible on both desktops
and mobile devices. They are no longer required to restart the Activity Manager to see the updated
list. Two options are available to refresh the list: a refresh button and a refresh icon. End users can
use the Refresh button when the Activity Manager screen is empty, and they can use the refresh icon

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 26

Citrix Workspace

to update the existing list. This new feature enhances the end user experience by allowing them
to manage the sessions within the Activity Manager more efficiently and conveniently.

Activity Manager on desktop version:

Activity Manager on mobile version:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 27

Citrix Workspace

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues There are no known issues in this release.

24.10

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 28

Citrix Workspace

24.9

Disable Simple View of Workspace UI Currently, when users launch Citrix Workspace app with
fewer than 20 resources, they see the screen with Simple View where users don’t see navigation tabs,
like Home, Apps, and Desktops. All the apps and desktops are consolidated on one page and adminis‑
trators don’t have the control to disable this view. With this release, you can disable the Simple View
and customize the new Workspace UI as per your preference.

Even if the number of resources are less than 20, you can still use the navigation tabs if you prefer a
consistent view for your users. For more information on how to manage the Simple View, see Work‑
space visual and layout improvements.

Fixed issues There are no fixed issues in this release.

Known issues There are no known issues in this release.

24.8

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.
Support for Finnish language: Citrix Workspace UI is now available in the Finnish language.

24.7

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.6

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 29

Citrix Workspace

24.5

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

24.4

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.49

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.48

View user’s display name and profile picture on Workspace UI With this release, users can now
view their display name and profile picture on the Workspace UI. The user’s display name is shown
along with the greetings. The profile picture, initials, or a generic image appears on the user menu
at the upper‑right corner. Admins must note that Workspace UI displays this information only if the
Active Directory fetches valid data.

For more information, see Manage user’s display name and profile picture

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 30

Citrix Workspace

Fixed issues This release addresses areas that improve overall performance and stability.

23.46

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.45

This release addresses areas that improve overall performance and stability.

Fixed issues

• Google Search indexing has been removed from Citrix Web to prevent internal URLs from ap‑
pearing in Google’s search results. However, if your URLs have already been indexed by Google,
you must take steps to remove them. For more information, see Remove a page hosted on your
site from Google.

23.44

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.43

This release addresses areas that improve overall performance and stability.

Fixed issues This release addresses areas that improve overall performance and stability.

23.42

This release addresses areas that improve overall performance and stability.

Fixed issues This release addresses areas that improve overall performance and stability.

23.41

This release addresses areas that improve overall performance and stability.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 31

Citrix Workspace

Fixed issues This release addresses areas that improve overall performance and stability.

23.40

Streamlined discovery of new apps End users can now easily spot newly added apps, making it
easier to explore and utilize the latest apps. When an admin delivers a new app to an end user, it
is highlighted on the end user’s workspace and a green dot is displayed on the app tile for the first
time.

Fixed issues This release addresses areas that improve overall performance and stability.

23.39

This release addresses areas that improve overall performance and stability.

Fixed issues This release addresses areas that improve overall performance and stability.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 32

Citrix Workspace

23.38

This release addresses areas that improve overall performance and stability.

Fixed issues This release addresses areas that improve overall performance and stability.

23.37

New Workspace UI ‑ General Availability The new Workspace user interface is now generally avail‑
able. It introduces new UI capabilities with a modern look and feel for a cleaner view. The UI enhance‑
ments are applicable for web, desktops, and mobile. Admins can enable it for their end users from
Workspace Configuration > Customize > Features. For more information, see New Workspace UI.
Note:

By default, the new UI toggle will be in a disabled state for the next 6 months unless enabled by
admins. After 6 months, the new UI will be enabled for all users by default and the current UI
experience will be deprecated. Admins need to transition their users to the new UI within the
next 6 months.

Activity Manager ‑ General Availability The Activity Manager feature is now generally available
on the new UI for cloud. Activity Manager is a simple yet powerful feature that empowers users to
effectively manage their resources.It enhances productivity by facilitating quick actions on active and
disconnected apps and desktops from any device. Admins can enable this feature for their end users
from Workspace Configuration>Customize>Features>Activity Manager. For more information, see
Enable Activity Manager.
Once enabled, apps and desktops that are either active or in a disconnected state are displayed on
the Activity Manager panel. End users can click the ellipses (…) icon to take quick actions.
Following actions can be performed for active apps and desktops.

• Disconnect: Disconnects the remote session but the apps and desktops are active in the back‑
ground.
• Log out: Logs out from the current session. All the apps in the sessions are closed, and any
unsaved files are lost.
• Shut Down: Closes your disconnected desktops.
• Force Quit: Forcefully powers off your desktop in case of a technical issue.
• Restart: Shuts down your desktop and start it again.

Activity Manager also enables end users to interact with their disconnected apps and desktops. Ensure
that you have upgraded to the latest DDC version(115). For more information, see Disconnected apps
and desktops.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 33

Citrix Workspace

Fixed issues This release addresses areas that improve overall performance and stability.

Known issues

• The Activity Manager panel displays active sessions across all the stores that the user is currently
signed into.
• Activity Manager operations such as Logout, Disconnect, and more are not supported for appli‑
cations that have policies enabled.

23.36

View sub‑categories for applications on mobile platforms End users can now view their apps or‑
ganized into categories and sub‑categories on android and iOS devices, providing easy access and a
pleasant app browsing experience. To view categories, navigate to the Apps tab and click the Cate‑
gories dropdown.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 34

Citrix Workspace

Select the relevant category, a list of available sub‑categories and applications is displayed based on
the configuration made by the admin. Sub‑categories are displayed as folders that might contain
further sub‑folders or applications as per the admin configuration. For more information, see Add
folder path

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 35

Citrix Workspace

Manage disconnected sessions on Activity Manager from any device Activity Manager now en‑
ables end users to view and take actions on apps and desktops that are running in disconnected mode,
locally or remotely. Sessions can be managed from mobile or desktop devices, enabling end users to
take action on the go. Taking action on disconnected sessions such as log out or shut down promotes
optimized use of resources and reduces energy consumption.

• The disconnected apps and desktops are displayed on the Activity Manager panel and are indi‑
cated by a disconnected icon.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 36

Citrix Workspace

• The disconnected apps are grouped under the respective sessions and the sessions are indi‑
cated by a disconnected icon.

End users can take the following actions on their disconnected desktops by clicking the ellipses but‑
ton:

• Log out: use this to log out from your disconnected desktop. All the apps in the session are
closed, and any unsaved files are lost.
• Shut Down: use this option to close your disconnected desktops.
• Power off: use this option to forcefully power off your disconnected desktops in case of a tech‑
nical issue.
• Restart: use this option to shutdown and start the disconnected desktop again.

For more information, see Disconnected apps and desktops in Activity Manager.

Fixed issues This release addresses areas that improve overall performance and stability.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 37

Citrix Workspace

23.35

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.34

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.33

Enhanced user experience with app categorization End users can view their applications orga‑
nized into categories and sub‑categories on the Workspace user interface. If the categorization in‑
volves more than two levels, end users will see their applications arranged within a folder structure.
The navigation breadcrumbs are visible to the users.
When the number of primary categories created by the admins exceeds the available space on the
user’s screen, the user interface adjusts based on the screen size, and dynamically moves categories
under the More dropdown.

Fixed issues This release addresses areas that improve overall performance and stability.

23.32

App categorization for easy access Admins can deliver apps organized into categories and subcat‑
egories, providing a pleasant app browsing experience for their end users. From the second level of
categorization, end users will see a folder structure. The organized multi‑level structure makes for a

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 38

Citrix Workspace

clutter‑free, optimized experience that helps enhance the overall user satisfaction. For more informa‑
tion on creating folders and sub‑folders, see Create delivery groups.

Fixed issues This release addresses areas that improve overall performance and stability.

23.31

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.30

Manage Activity Manager As an admin, you can now enable or disable the Activity Manager fea‑
ture for your end users. As per your organization policies, you can enable the feature for everyone or
selected users and user groups. When enabled, the Activity Manager panel lets your end users view
and interact with their active apps and desktops. For more information, see Activity Manager.
Note:

This feature is supported only for virtual apps and desktops. It is not applicable to web and SaaS
apps.

To enable Activity Manager:

1. On the Admin console, go to Workspace Configuration > Customize > Features.

2. In the Activity Manager section, turn‑on the toggle to enable Activity Manager.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 39

Citrix Workspace

3. You can then customize the access permissions as follows.

• To enable Activity Manager for all end users, select Enable for Everyone.

• To enable Activity Manager for selected users and user groups, select Enable for selected
user and user groups. You can then select the directory to which the users or user groups
belong. Once the appropriate directory is selected, you can view relevant users and user
groups.

• To disable Activity Manager for everyone, turn‑off the toggle.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 40

Citrix Workspace

4. Click Save.

Fixed issues This release addresses issues that help to improve overall performance and stability.

23.29

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.28

Deprecation announcement for Internet Explorer UI version 23.26 is available on Internet Ex‑
plorer till the last week of 2023. Citrix does not support new features, bug fixes, or security patches
post the 23.26 release. Additionally, administrators receive a notification to upgrade to the supported
browsers and supported LTSR (LTSR2203 or later).

Fixed issues This release addresses issues that help to improve overall performance and stability.

23.27

This release addresses issues that help to improve overall performance and stability.

Fixed issues

• With this fix, error boundary and component level error handling have been implemented.
[WSUI‑7423]

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 41

Citrix Workspace

• Offline banner gets minimized once you click the ellipses icon. [WSUI‑7797]

23.26

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.25

View description of apps and desktops End users can now view the description provided by ad‑
mins for apps and desktops. These descriptions aid in comprehending the intended functionality of
an app or desktop. They are especially useful in case multiple apps exist with the same name but
differ in their configuration, location, environment, etc.
To view the description of an app or desktop, click ellipses on the respective tile and then click View
Details.

Fixed issues This release addresses issues that help to improve overall performance and stability.

23.24

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 42

Citrix Workspace

23.23

This release addresses areas that improve overall performance, stability, and feature enhance‑
ments.

23.22

Introducing Activity Manager You can now manage and take quick actions on the apps and desk‑
tops that are active across any device from a single window pane within the Workspace UI. All the
active apps and desktops are grouped in the session that you’re currently using.

The Activity Manager icon appears on the Workspace UI window to the left of the profile icon. When
you click the icon, you see the following:

• A list of apps and desktops started from the device that you’re using under On this device.
• A list of apps and desktops active on other devices under Running Remotely.

For more information, see Activity Manager.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 43

Citrix Workspace

Note:

If you are unable to view the Activity Manager icon clearly, consider changing the color selected in
the Banner text and icon color setting. The icon might not be visible clearly due to a low contrast
between the banner and the Activity Manager icon. For more information, see Configure custom
themes.

Known issues
• If a session gets disconnected, users will not be able to log out from it. Disconnected sessions
are not displayed on the Activity Manager panel.
• On , the list of active apps and desktops displayed on the Activity Manager panel lists active
sessions from all the stores.

23.15

New Workspace user interface introduces new UI capabilities with a modern look and feel for a
cleaner view. The UI enhancements are applicable for web, desktops, and mobile.

Enhanced first‑time user experience When you launch the downloaded or Citrix from a browser
for the first time, you’re prompted with a screen that lists the relevant apps. These apps are decided
by the admin, and you can add these apps as favorites with a single click.

Enhanced search experience The enhanced Search feature gives you faster results from the search
engines. The Search option allows you to do a quick and intuitive search from within the Workspace
app.

Admin related tasks

As an admin you can customize the user experience of the Workspace app for your subscribers. See
the following sections for more information

• Enable the new Workspace experience for users

• Enable or disable Home screen for users

What’s new in Global App Configuration service

December 20, 2024

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 44

Citrix Workspace

The following sections list the new features in current and earlier releases for the Global App Configu‑
ration service.

Dec 20, 2024

Configuration profile feature is available for on‑premises store users

The configuration profiles feature in Global App Configuration service allows the administrators to
configure settings for user groups. This feature is now available for on‑premises stores as well. For
more information on compatible Citrix Workspace app versions that support this feature, see Verify
Citrix Workspace app version.

For more information, see Manage settings for user group using configuration profiles.

Dec 12, 2024

Define timeframe for automatic update

Administrators can now schedule automatic updates for Citrix products at any preferred time on their
Mac devices. During this specified time, software updates automatically or users receive notifications
on available updates.

For more information, see Automatic update timeframe.

Manage automatic update version and rollout period for Citrix Workspace app

Administrators can schedule convenient date ranges during which an automatic update of Citrix Work‑
space app should roll out to their end users. This capability allows them to determine the rollout dates,
minimizing disruption to end users and improving the user experience.

For more information, see Citrix Workspace app version.

Automatic update management settings supports configuration profiles

The automatic update management settings such as Automatic update timeframe and Citrix Work‑
space app version are applicable for different user groups through configuration profiles.

For more information, see Automatic update management settings supports configuration profiles.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 45

Citrix Workspace

Oct 09, 2024

Configuration profile feature is available on Linux and Android for cloud store users

The configuration profiles feature in Global App Configuration service allows the administrators to
configure settings for user groups. Starting with the release of Citrix Workspace app version 2408 for
Linux and version 24.9.0 for Android, this feature is available on Linux and Android for cloud store
users.

For more information, see Release note: Citrix Workspace app for Linux and Release note: Citrix Work‑
space app for Android

Learn more about the feature in Manage settings for user group using configuration profile.

Sep 24, 2024

Configuration profile feature is available on iOS for cloud store users

The configuration profiles feature in Global App Configuration service allows the administrators to
configure settings for user groups. Starting with the release of Citrix Workspace app version 24.9.0 for
iOS, this feature is available on iOS for cloud store users.

For more information, see Release note: Citrix Workspace app for iOS

Learn more about the feature in Manage settings for user group using configuration profile.

Jul 02, 2024

Plug‑in Manager is available for Microsoft Teams

Starting with Citrix Workspace app for Windows version 2405, administrators can now optimize the
audio and video for calls and meetings using the Microsoft Teams VDI plug‑in manager. This enhance‑
ment provides improved performance and user experience during virtual meetings. The installation
and configuration of the Microsoft Teams VDI plug‑in manager can be managed through the Global
App Configuration service. This Plug‑in Manager, in turn, installs and manages the Microsoft Teams
Optimization plug‑in (VDI 2.0 or Slimcore engine) on the end‑user’s device.

For more information, see Microsoft Teams VDI Plug‑in Management.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 46

Citrix Workspace

Jun 04, 2024

Clone settings across stores, channels, and configuration profiles

Administrators can now clone settings across stores, channels, and configuration profiles through
Global App Configuration service using a new feature called Clone Settings. This feature allows you
to duplicate existing settings instead of going through the entire configuration process again. Conse‑
quently, it saves a lot of time and effort, resulting in better productivity and streamlined workflows.

For more information on configuring this feature, see Clone settings across stores, channels, and con‑
figuration profiles.

May 29, 2024

Applying GACS settings on first‑time use of Citrix Workspace app for HTML5

Starting with Citrix Workspace app for HTML5 version 2404.1 and later, Global App Configuration ser‑
vice (GACS) settings are applied when end users start a Workspace session for the first time. End users
might also be prompted to restart their session to ensure compliance.

For more information, see Citrix Workspace app for HTML5 product documentation.

May 07, 2024

Manage settings for user groups using configuration profile (Preview)

With the release of Citrix Workspace app version 2402 for Mac and Windows, you now can manage
settings for user groups using Configuration profile in Global App Configuration service (GACS). A
configuration profile is used to identify a collection of user groups. It allows you to manage settings
for user groups rather than applying them to all users accessing the store. To do so, you can create
a configuration profile and add the desired user groups to it. You can then choose the configuration
profile, assign settings, and publish them to apply specific experiences to different user groups..

For more information on configuring settings for configuration profile , see Manage settings for user
group using configuration profile.

Note:

This feature is currently applicable for cloud stores on the Windows and Mac platforms. The
support for other platforms will soon be available.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 47

Citrix Workspace

Apr 11, 2024

Improvements in Global App Configuration service

With the release of Citrix Workspace app version 2402 for Windows and Mac, we have enhanced Global
App Configuration service (GACS) in the following areas:

Settings are secured with user authentication GACS now serves settings in two stages. Citrix
Workspace app initially fetches certain settings that need to be applied before user authentication,
and the rest of the settings are applied after the successful authentication.
This capability paves the way for an upcoming GACS feature that gives you the ability to configure
settings for a user based on the user group to which that user belongs.
Note:

The authenticated GACS is currently available only for Workspace stores. The support for Store‑
Front stores will soon be available.

Discovery improvements Citrix Workspace app now has the improved ability to discover and con‑
figure settings for various user inputs. Users can now start using the app with either an email address,
domain name or store URL. Based on the user input, GACS discovers the associated store URLs and
adds all of them.
Previously, when you map multiple store URLs to a domain and configure GACS settings for more than
one of the store URLs, users were unable to add any store to Citrix Workspace app because it discovers
multiple stores. However, starting with the 2402 release, this limitation is removed.
Note:

Starting with Citrix workspace app for Windows 2402 and Mac 2402, you can add more than one
GACS‑enabled store. The store that you add first takes the precedence in assigning value to the
settings, and subsequent stores inherit the behavior determined by the first store. In the upcom‑
ing release, we’re introducing a setting for administrators that allows you to manage whether a
store can be added to Citrix Workspace app as a single store or as part of multiple stores. In the
meantime, if you wish to enable this setting, contact Citrix Support.

Full StoreFront URL support GACS has the added flexibility to configure different settings for Store‑
Front URLs with a common FQDN. Let’s take the examples of the stores https://mywork.acme.
com/Citrix/StoreFTE and https://mywork.acme.com/Citrix/StorePartner. Pre‑
viously, you could configure settings only at https://mywork.acme.com (FQDN) level, which
didn’t provide the flexibility to configure different settings for each of the stores: StoreFTE and
StorePartner.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 48

Citrix Workspace

Mar 18, 2024

Additional settings for Citrix Enterprise Browser

Global App Configuration service (GACS) has new settings to configure Citrix Enterprise Browser that
allow you to manage the following actions:

• Autofill suggestions for the addresses

• Autofill suggestions for credit card information
• Launch an external application without prompting the user
• Display the security warnings when potentially dangerous command‑line flags are used to
launch the browser.
• Manage the default cookie setting
• Manage the default pop‑up setting
• Install the extensions, apps, and themes to the browser
• Suppress the warnings for any suspected lookalike domains in the browser
• Allows the websites to check saved payment methods
• Manage the saving of the browser history
• Manage the search suggestion in the browser’s address bar
• Export a bookmark
• Create an ephemeral profile when users sign in to the Enterprise Browser

For more information about the settings, see Manage Citrix Enterprise Browser through Global App
Configuration service in the Citrix Enterprise Browser product documentation.

Jan 18, 2024

Manage plug‑ins using Global App Configuration service

The Global App Configuration service provides a centralized platform that helps you configure instal‑
lation and update settings for plug‑ins. You can distribute plug‑in settings across both managed and
unmanaged devices. To configure plug‑in settings, navigate to the Updates and Plug‑ins category
under Workspace Configuration > App Configuration on the cloud portal. For more information,
see Plug‑in management.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 49

Citrix Workspace

You can configure the following plug‑ins:

• Citrix Endpoint Analysis Plug‑in

• Citrix Secure Access Agent
• Webex VDI AutoUpgrade Plug‑in
• Zoom VDI Plug‑in Management

Nov 21, 2023

Manage Citrix Workspace app version

As an admin, you can now manage auto‑update or version settings for Citrix Workspace app from a
centralized platform. You can customize your settings for both CR (Current Release) and LTSR (Long
Term Service Release) versions. You can set up a rule that updates your end users automatically to the
latest version, whenever a new version is available. If you do not want to update to the latest version,
you can also specify a preferred version that the end users must update to for optimal results.

The Citrix Workspace App Version setting can be customized for Windows and Mac platforms from
the Updates and Plug‑Ins section. For more information, see Manage Citrix Workspace app ver‑
sions.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 50

Citrix Workspace

Oct 30, 2023

Configure settings for on‑premises stores

You can now use the Global App Configuration service UI to configure settings for on‑premises stores.
Sign in to your Citrix Cloud account and navigate to Workspace Configuration > App Configuration
to get started.

Note:

If you don’t have a Citrix Cloud account yet, go to the Citrix Onboarding page to create one.

Before proceeding, verify that you’ve established a claim to your StoreFront URL. If you’ve claimed
your StoreFront URL, see the Configure settings section for more information.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 51

Citrix Workspace

If you haven’t claimed your StoreFront URL yet, you can claim it. For that, click Claim URL under the
App Configuration section to claim your URL. For more information, see Get started with configura‑
tion.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 52

Citrix Workspace

Sep 28, 2023

Simplified settings categorization for easy navigation

The Global App Configuration service UI has been enhanced to deliver a user‑friendly categorization
of settings. The settings have been categorized based on end‑user workflows and topics, compris‑
ing seven primary folders and multiple subfolders. This clutter‑free organization makes it easier for
admins to navigate among 300+ settings.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 53

Citrix Workspace

Jul 28, 2023

View summary of configured settings

Admins can now view a summary of the current configuration by clicking the View configured set‑
tings button. This eliminates the need to expand and review each setting separately. A consolidated
list of all the configured settings allows admins to perform a comprehensive review of the current
configuration and gauge the user impact.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 54

Citrix Workspace

Jun 07, 2023

Review unsaved changes

With this enhancement, admins can perform a final review of their unsaved changes before publish‑
ing the configuration. The number of unsaved settings is displayed on the UI and admins can access
this list by clicking the Review unsaved setting(s) option. This enables admins to make informed
changes and maintain data accuracy.

Admins can also navigate to an unsaved setting by clicking the arrow.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 55

Citrix Workspace

Enhanced user interface

Admins can now view the status of each setting without expanding it.The following tags are now dis‑
played to facilitate informed decision making at every step.

• Configured: Displays the number of platforms (client OS) for which the setting has already been
configured.

• Unsaved: Displays the number of settings that are configured but not yet saved

May 23, 2023

Enhanced search capabilities

With this enhancement, the search experience has been enhanced to provide a robust and seamless
experience. Admins can now sign in to the cloud portal and locate the required settings on the App
Configuration page with ease. They can use the following search methods.

• Search using setting description

Admins can also locate settings by entering keywords found within the setting’s description.
This allows for a more flexible search approach, utilizing relevant terms associated with the
desired setting.

• Search using API setting name

Admins have the option to search for settings by entering the corresponding API setting name.
This method allows for a more precise and targeted search, enabling users to quickly find the
specific setting they require.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 56

Citrix Workspace

View applicable platforms for each setting

Each setting now dynamically displays only those platforms to which it is relevant and applicable.
This intelligent filtering ensures that users are presented with a concise and tailored list of options,
eliminating unnecessary clutter and confusion.

Get started with Citrix Workspace

August 29, 2024

This article outlines the main steps involved in setting up Citrix Workspace and related components,
from beginning to end. For a summary of the phases involved, see Workflow overview.

Workflow overview

Before setting up Citrix Workspace, review the system requirements.

If setting up Citrix Workspace as a new customer, there are 5 broad phases of work:

1. Prepare for Citrix Workspace in Citrix Cloud.

2. Configure end‑user access and authentication.
3. Integrate services into workspaces.
4. Customize workspaces with your enterprise‑specific preferences, such as logos and security
policies.
5. Roll out Citrix Workspace to end‑users.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 57

Citrix Workspace

Phase 1: Prepare for Citrix Workspace in Citrix Cloud

Before configuring Citrix Workspace, you must sign up to Citrix Cloud. If you’re already a Citrix Cloud
customer, with administrators added through Identity and Access Management, you can skip to
Phase 2: Configure subscriber access and authentication.

The steps involved in Phase 1 include:

1. Signing up to Citrix Cloud.

2. Add an identity provider to authenticate administrators or workspace users.
3. Add administrators who can configure Workspace. If you have configured an administrator to
have Custom access then under the General section select Workspace Configuration.
4. Setting up the infrastructure by:

• Creating resource locations.

• Deploying cloud connectors.

Phase 2: Configure end‑user access and authentication

Once you logged into Citrix Cloud, you can access Workspace Configuration from the main menu.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 58

Citrix Workspace

If you do not see this option then ensure you have the Workspace Configuration permission, see
Modify administrator permissions.
Phase 2 involves configuring access controls, including the authentication methods, the Workspace
URL and external connectivity to resources.
Note:

There are two ways to access Citrix Workspace. One is through the natively installed Citrix Work‑
space app for simple, secure access to Citrix Cloud services and workspaces. The other way to
access Citrix Workspace is through a web browser. For more information, see User access.

Configure workspace access

You configure access controls in Workspace Configuration > Access. It typically involves the follow‑
ing tasks:

• Configure and enable the Workspace URL.

• Configure external connectivity with Citrix Gateway.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 59

Citrix Workspace

Configure authentication to workspaces

Defining how end‑users authenticate to sign in to their workspaces is a two‑step process:

1. Under Identity and Access Management, configure Identity and access management.
2. Under Workspace Configuration > Authentication, choose one of the authentication methods
delivered by the identity providers you configured in the first step. For more information, see
Configure authentication.

If you’re using a federated identity provider, you can also enable single sign‑on (SSO) to VDAs with the
Citrix Federated Authentication Service (FAS).

Phase 3: Integrate services into workspaces

Integrating your services into workspaces is another two‑part process:

1. Configure your purchased services in Citrix Cloud. For a list of services, visit Citrix Cloud Ser‑
vices.
2. Enable access to your configured services in Workspace Configuration > Service Integrations.
For more information on service integration, visit Enable and disable services.

Phase 4: Customize workspaces

You can customize the experience of workspaces for different users and to meet specific organizational
requirements in Workspace Configuration by:

• Customizing the appearance of workspaces, including logos and custom themes. For instruc‑
tions on customizing Workspace appearance, visit Customize the appearance of workspaces.
• Choosing interaction options, such as allowing users to create Favorites and automatically
launching desktops. For instructions on customizing how users interact with their workspaces,
visit Customize workspace interactions.
• Customizing privacy and security settings. This includes setting a timeout period, creating a
sign‑in policy, and allowing users to change their passwords from within their workspaces. For
instructions on how to customize Workspace privacy and security policies, visit Customize se‑
curity and privacy policies.

Phase 5: Roll out Citrix Workspace to end‑users

The broad activities for this phase include:

1. Testing workspaces.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 60

Citrix Workspace

• Verify that you can sign in through the browser and into the Citrix Workspace app.
• Launch and use all available apps and desktops.
• Check that you can access available folders and files.
• Check that notifications are displaying the expected actions and activities.
• If enabled, verify that you can access endpoint resources on mobile devices.

2. Onboarding users.

• Communicate Citrix Workspace capabilities with users.

• Share the Workspace URL.
• Guide users to install the Citrix Workspace app.

System Requirements

August 9, 2024

Citrix Cloud

To configure Citrix Workspace, you must have an account on Citrix Cloud and have enabled either
Citrix Desktops as a Service or Secure Private access.
See Citrix Cloud System and Connectivity Requirements

DaaS

To access DaaS resources, see DaaS system requirements.

End user connectivity

Citrix Workspace app

End users can use any supported version of Citrix Workspace app to connect to your workspace. Older
versions of Citrix Workspace app may work but are not supported. It is recommended you use the
latest version of Citrix Workspace app. Not all features are available on earlier versions of Citrix Work‑
space app. For more information about supported features in Citrix Workspace app by platform, refer
to the Citrix Workspace app feature matrix.
Citrix Receiver has reached End of Life (EoL). It may work with reduced functionality but is no longer
supported. At a minimum, Citrix Workspace requires a version of Citrix Receiver that supports TLS
1.2:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 61

Citrix Workspace

Receiver Minimum Version

Windows 4.2.1000
Mac 12.0
Linux 13.2
Android 3.7
iOS 7.0

If you need to use older versions of Citrix Receiver then use Citrix StoreFront which can be configured
to allow older TLS versions (not recommended).

Web browsers

End users can use the latest versions of the following browsers to connect to their Workspace:

• Citrix Enterprise Browser

• Microsoft Edge
• Google Chrome
• Mozilla FireFox
• Apple Safari

Admins can use these web browsers to configure Workspace.

Citrix Workspace Web Extensions For improved experience and reliability, it is recommended that
users add Citrix Workspace Web Extension to their web browser. For more information, see Citrix
Workspace Web Extension and Install Citrix Workspace Web Extension.

Network connectivity

Client devices must be able to reach the following addresses:

• https://*.cloud.com
• https://*.citrixdata.com

Citrix Virtual Apps and Desktops site aggregation

Site aggregation can be used with all supported versions of Citrix Virtual Apps and Desktops. Earlier
end of life (EoL) versions of Citrix Virtual Apps and Desktops may work but are not supported.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 62

Citrix Workspace

XenApp and XenDesktop are end of life (EoL). XenApp and Desktop 7.0 and higher may work but are
not supported. XenApp and XenDesktop 7.16 or higher are required for use with Citrix Federated Au‑
thentication Service (FAS).

NetScaler Gateway

Citrix Workspace can use any supported version of NetScaler Gateway to provide access to resources.
Alternatively use Citrix Gateway Service for a zero deployment solution.

Federated Authentication Services (FAS)

Citrix Workspace can use FAS to provide single sign‑on to resources, for more information see .

For system requirements, see FAS system requirements.

Deliver DaaS and Virtual Apps and Desktops with Citrix Workspace

August 28, 2024

Citrix Workspace is the cloud service alterative to StoreFront, which is the on‑premises Windows ap‑
plication that aggregates Citrix DaaS apps and desktops. Citrix Workspace is a cloud component that
provides the tools, services, and capabilities needed for remote working, extensibility, and customiza‑
tion.

You can use both on‑prem StoreFront and Citrix Workspace within a single deployment. For instance
you may use Citrix Workspace to provide access to external users while internal users use on‑prem
StoreFront.

Full migration to DaaS

It is recommended that you first migrate from on‑prem CVAD deployments to DaaS before you migrate
from on‑prem StoreFront to Citrix Workspace. For more information, see Migrating from on‑premises
to cloud and the Tech Zone deployment guide.

On‑prem Citrix Virtual apps and Desktops site aggregation

You can transition to Citrix Workspace with your existing on‑premises Virtual Apps and Desktops de‑
ployment. This process is called site aggregation. This has performance and resilience limitations so
is only recommended for simple deployments.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 63

Citrix Workspace

For more information on the site aggregation process and the steps involved, visit Aggregate
on‑premises virtual apps and desktops in workspaces.

Connectivity to resources

There are the following options of how to provide access to your Virtual apps and desktops, designed
for different business requirements.

Connectivity option Scenario

NetScaler gateway appliances
Citrix‑managed gateways
No gateway (internal only)
Choose this option if you would like to use your
own gateway for external connectivity to
resources. This allows you to take advantage of
your current investment in on‑premises
gateways.
Choose this option if you would like to use the
Citrix Gateway service for external connectivity
to your resources. HDX connections between
clients and VDAs are proxied through the Citrix
Gateway service.
Choose this option if you want subscribers to
launch resources only using clients inside your
corporate network. Subscribers won’t have
external access to resources if you choose this
option.

For more information, see External connectivity.

Configure workspace resiliency and optimization

For information on improving the efficiency and availability of your DaaS through Citrix Workspace,
visit Optimize DaaS in Citrix Workspace. This includes information on how to:

• Optimize connectivity with Direct Workload Connection.

• Ensure service continuity during an outage for offline resilience.
• Configure single sign‑on (SSO) to virtual apps and desktops with Citrix Federated Authentication
Service (FAS).

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 64

Citrix Workspace

User Access

August 29, 2024

Two different methods are available for users to access Workspaces.

• Citrix Workspace app ‑ Users with compatible versions of Citrix Workspace app can access their
workspace within the Citrix Workspace app. This provides the best user experience and the
greatest functionality.
• Web browser ‑ Users with compatible web browsers can access Workspace by browsing to the
Workspace’s URL. By default, users also require a compatible version of Citrix Workspace app to
open virtual desktops and applications, known as hybrid launch. However, you can configure
your website to enable users to access their resources through their browser without installing
Citrix Workspace app.

Citrix Workspace app

Citrix Workspace app is a locally installed app for accessing workspaces. For more information, see
Citrix Workspace app.

Configure Citrix Workspace app

After installation, Citrix Workspace app must be configured with connection details for the stores pro‑
viding users’desktops and applications. You can make the configuration process easier for your users
by providing them with the required information in one of the following ways.

Manual configuration Users can enter the Workspace URLs into Citrix Workspace app. For more
information, see the Citrix Workspace app documentation.

Provisioning files After users sign into the Workspace using a web browser, they can go to Account
Settings, Advanced and download a workspace configuration file. When the user opens this file with
Citrix Workspace app it adds the Workspace to the app.

Global App Configuration Service Use the Global App Configuration Service to configure
Citrix Workspace app for your Workspace. See [Configure settings for cloud stores]/en‑us/citrix‑
workspace/global‑app‑config‑service/configure‑gacs‑cloud).

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 65

Citrix Workspace

Supported versions of Citrix Workspace app and Citrix Receiver

For more information on supported versions of Citrix Workspace app and Citrix Receiver, see system
requirements.

Web browser

As an alternative to using a locally installed Workspace app, users can access their store through a
web browser. For supported browsers, see system requirements.

When users launch their resources from a web browser there are two possibilities:

1. Resources open within locally installed Citrix Workspace app. This is known as a hybrid launch.
This gives users the best experience as it takes advantage of full operating system integration.
For more details see Hybrid launch

2. Resources open within their web browser. This makes it possible for users to access resources
without needing to install any software locally.

The default configuration is that resources always open within the locally installed Citrix Workspace
app. You can change the configuration to either always open resources in the browser or to give the
user the choice. For more information, see launching apps and desktops.

If the admin selected Let end users choose then when the user first opens the Workspace URL in
their browser, the user has the option to click Use Web Browser to launch resources within their web
browser.

Hybrid Launch

When users first open a Workspace in browser but are configured to launch apps within the locally
installed Citrix Workspace app this is known as hybrid launch. There are a number of ways in which
the web site can communicate with the locally installed Workspace app to open resources.

Citrix Workspace web extensions

The Citrix Workspace web extensions are extensions for commonly used web browsers that improve
the user experience for detecting the locally installed Citrix Workspace app and launching virtual apps
and desktops. Compared to Citrix Workspace launcher, this provides a better user experience.

The first time a user goes to a Workspace URL on a supported platform, it prompts the user to detect
the locally installed Workspace app. It first tries to use the web extension and if this fails then it tries
Citrix Workspace Launcher. Existing users who have already completed Workspace app detection can
go to Account Settings, click Change Citrix Workspace app to re‑detect workspace app.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 66

Citrix Workspace

Citrix Workspace launcher

When the user first goes to a Workspace URL a supported operating system and browser and Citrix
Web Extensions is not installed, it attempts to invoke the Citrix Workspace Launcher. The browser
might prompt the user for confirmation, for example:

If a supported version of Citrix Workspace app is installed then the app notifies Citrix Workspace which
remembers this and when it launches an app it uses Citrix Workspace Launcher.
Citrix Workspace Launcher requires the following minimum versions of Citrix Receiver or Citrix Work‑
space app.

• Receiver for Windows 4.3 or higher

• Receiver for Mac 12.0 or higher

If Citrix Workspace launcher is not available, or the user does not allow it to open, then it will not be
able to detect the locally installed Citrix Workspace app. The user has the option to try again, or to
click Already Installed, in which case it falls back to launching apps using .ica files. The user can later
try again by going to the advanced settings screen and clicking Verify connection.
Citrix Workspace launcher is available on Windows and macOS.

ICA file downloads

On operating systems where Citrix Workspace launcher is not available, when a user launches an app
or desktop it downloads an ICA file that the user can open in their locally installed Citrix Workspace
app.
On Windows and macOS, on the client detection screen, if the user clicks Already installed then Citrix
Workspace launcher is not used for launching apps and desktops. Instead, when the user launches an

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 67

Citrix Workspace

app or desktop it downloads an ICA file that the user can open in their locally installed Citrix Workspace
app.

Activity Manager

October 24, 2024

Activity Manager is a simple yet powerful feature in Citrix Workspace that empowers users to effec‑
tively manage their resources. It enhances productivity by facilitating quick actions on active apps
and desktops from any device. Users can seamlessly interact with their sessions, ending or discon‑
necting sessions that are no longer required, freeing up resources and optimizing performance on
the go.

The Activity Manager panel displays a consolidated list of apps and desktops that are active not only
on the current device but also on any remote device that has active sessions. Users can view this list
by clicking the Activity Manager icon located next to the profile icon on desktop and at the bottom of
their screen on mobile devices.
Note:

If you are unable to view the Activity Manager icon in a darker banner theme, consider changing
and testing the color selected in the Banner text and icon color setting. The icon might not be
visible clearly due to a low contrast between the banner and the Activity Manager icon. For more
information, see Configure custom themes.

Enable Activity Manager

Note:

The Activity Manager feature can be enabled only for the new UI. For more information on the
new UI, see Enable the new Workspace experience.

To enable or disable this feature, follow these steps:

1. Navigate to Workspace Configuration > Customize > Features in Citrix Cloud.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 68

Citrix Workspace

2. Under Activity Manager, click the toggle button to enable or disable the feature.

3. You can then customize the access permissions as follows:

• To enable Activity Manager for all end users, select Enable for everyone.

• To enable Activity Manager for selected users and user groups, select Enable for selected
users and user groups.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 69

Citrix Workspace

a) Click the Step 1 drop‑down list, and then choose a user directory from the list.
b) Using the Step 2 search field, search the preferred user or user group to apply the
feature.
c) Click Save.

Using Activity Manager

Active apps and desktops are grouped as follows on Activity Manager.

• A list of apps and desktops that are active on current device are grouped under On this device.
• A list of apps and desktops that are active on other devices are grouped under Running Re‑
motely.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 70

Citrix Workspace

Users can perform the following actions on an app or desktop by clicking the respective ellipsis(…)
button.

• Disconnect: The remote session is disconnected but the apps and desktops are active in the
background.
• Log out: Logs out from the current session. All the apps in the sessions are closed, and any
unsaved files are lost.
• Shut Down: Closes your disconnected desktops.
• Force Quit: Forcefully powers off your desktop in case of a technical issue.
• Restart: Shuts down your desktop and start it again.

Disconnected apps and desktops

Activity Manager now enables end users to view and take actions on apps and desktops that are run‑
ning in disconnected mode, locally or remotely. Sessions can be managed from mobile or desktop
devices, enabling end users to take action on the go. Taking action on disconnected sessions such as
log out or shut down promotes optimized use of resources and reduces energy consumption.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 71

Citrix Workspace

• The disconnected apps and desktops are displayed on the Activity Manager panel and are indi‑
cated by a disconnected icon.
• The disconnected apps are grouped under the respective sessions and the sessions are indi‑
cated by a disconnected icon.

End users can take the following actions on their disconnected desktops by clicking the ellipses but‑
ton:

• Log out: use this to log out from your disconnected desktop. All the apps in the session are
closed, and any unsaved files are lost.
• Shut Down: use this option to close your disconnected desktops.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 72

Citrix Workspace

• Power off: use this option to forcefully power off your disconnected desktops in case of a tech‑
nical issue.
• Restart: use this option to shutdown and start the disconnected desktop again.

The behavior of disconnected sessions on Activity Manager differs as follows.

• If you are signed into Citrix workspace through a browser, and disconnect a local session, the
session is first displayed under On this device. However, once you close and reopen Activity
Manager, the disconnected session is moved under Running Remotely.
• If you are signed into Citrix Workspace app through a native device, and disconnect a local ses‑
sion, the disconnected session disappears from the list. However, once you close and reopen
Activity Manager again, the disconnected session is moved under Running Remotely.

Reconnect to disconnected apps and desktops

The reconnect feature allows end users to effortlessly reopen their disconnected apps and desktop
sessions, ensuring a smooth transition between devices without losing progress. This feature seam‑
lessly restores access to the previous work environment, eliminating the need to search for and re‑
open apps and desktops.

To reconnect to a disconnected app or desktop:

• Open Activity Manager and then click on the resource item.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 73

Citrix Workspace

OR

• Click the ellipsis button (…) and then click Reconnect.

Clicking Reconnect reopens the disconnected resource from where you left off.

Transfer your apps and desktops

The transfer feature allows end users to transfer their active apps and desktop from other devices to
the current device. To transfer the apps and desktops, follow these steps:

1. Click the ellipsis button (…) and then click Transfer.

2. Click Transfer on the confirmation dialog box.

Once the resources are transferred to the current device, you can see them listed under the ON THIS
DEVICE section in the Activity Manager.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 74

Citrix Workspace

Hibernate and Resume virtual desktop sessions

The Hibernate and Resume feature allows users to optimize resource utilization by hibernating virtual
desktops when not in use and seamlessly resuming them as needed. This not only saves costs and en‑
ergy but also enhances user workflow with faster session resumption times. In Azure environments,
the administrators have the capability to create Machine Creation Services (MCS) machine catalogs
that fully support hibernation. This feature allows users to suspend virtual machines, and seamlessly
resume to their previous state when users reconnect, thus optimizing resource utilization and enhanc‑
ing user experience.

The hibernation capability is particularly beneficial for Single‑session OS machine catalogs, whether
they are persistent. When initiating hibernation, Azure communicates with the guest operating sys‑
tem, triggering a suspend‑to‑disk action. During this process, the memory (RAM) contents of the
virtual desktops are preserved on the OS disk, while the virtual desktop itself is deallocated. Upon
subsequent startup, the virtual desktop’s RAM contents are restored from the OS disk, ensuring that
applications and processes resume seamlessly from their last state.

The following section describes how administrators can enable this feature on user devices and how
users can experience it.

Note:

If users hibernate the virtual desktops for more than 60 days, they can no longer perform hiber‑

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 75

Citrix Workspace

nate or resume operations.

Configuration

Users can hibernate their virtual desktops sessions only when administrator enables:

• Activity Manager on the user device, and

• Hibernation capability of the virtual desktop

For more information about enabling or disabling Activity Manager, see Activity Manager.

To enable hibernation capability, an administrator needs to follow specific guidelines and enable pre‑
view features both in Azure and Citrix DaaS. For more information, see Create hibernation‑capable
VMs (Preview).

User experience

When an administrator enables Activity Manager and hibernation capability of the virtual desktops,
users can see the Hibernate option on the Activity Manager menu.

Hibernate a desktop session:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 76

Citrix Workspace

To hibernate a desktop session, users can click the three‑dot button (…) and then click the Hibernate
option. The desktop initiates the hibernation once the users click the Hibernate option. Once the
desktop is hibernated, the desktop resource moves to the In Hibernation section on Activity Man‑
ager.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 77

Citrix Workspace

Resume a hibernated desktop session:

Hibernated desktop sessions are available under the In Hibernation section on Activity Manager. To
resume the hibernated desktop session, users can click the three‑dot button (…), and then click the
Resume option.

Once users click the Resume option, the desktop gets restored.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 78

Citrix Workspace

Citrix Workspace web extension

October 15, 2024

Citrix Workspace web extension establishes a secure and reliable connection between Citrix Work‑
space web client and locally installed Citrix Workspace app. It streamlines the opening of apps and
desktops from the web client to the native app, which uses HDX protocol. When you access the web
client and open any apps or desktops after installing this extension on your browser, the extension
opens the app or desktop from your native Citrix Workspace app.

The web extension offers various benefits such as seamless opening of desktop and apps, service con‑
tinuity, supports App Protection service etc. For more information on the benefits of the web exten‑
sion, see Benefits of Citrix Workspace web extension.

Note:

Users need to have the Citrix Workspace app client natively installed on their device for this ex‑
tension to work. To download Citrix Workspace app, visit the Citrix Downloads page.

The Citrix Workspace web extension is supported on Google Chrome, Microsoft Edge, and Apple Safari
browsers. The extension is available for both cloud and on‑premises stores.

For more information on the installation of the web extension, see Citrix Workspace web extensions
on StoreFront.

Supported Browsers

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 79

Citrix Workspace

Browser name Operating system Version

Citrix Enterprise Browser Windows, Mac Latest browser version is

supported
Google Chrome Windows Latest browser version is
supported
Microsoft Edge Windows Latest browser version is
supported
Apple Safari Mac Latest browser version is
supported

Supported versions of Citrix Workspace and StoreFront

Citrix Workspace web extension is always available for use with Citrix Workspace without requiring
any additional configuration.

To use the Citrix Workspace web extension with StoreFront, StoreFront 2203 CU2 or higher is
required.

For StoreFront versions earlier than 2402, Citrix Workspace web extension is disabled by default and
you must enable it manually.

For StoreFront version 2402, Citrix Workspace web extensions is enabled by default for new deploy‑
ments but you must manually enable it when upgrading from a previous version.

For StoreFront 2407 and later, Citrix Workspace web extension is enabled by default and hence you
don’t need to do any configuration.

For more information about enabling use of Citrix Workspace web extensions in StoreFront, see Citrix
Workspace web extensions on StoreFront.

Benefits of Citrix Workspace web extension

The web extension enhances the reliability and security of hybrid deployments. It comes with the
following built‑in features.

Seamless opening of desktops and apps

Normally, the Citrix Workspace web client uses Citrix Workspace launcher to detect the locally in‑
stalled Citrix Workspace app and opens apps in‑memory. However, depending on the browser, the
user might need to click through a pop‑up on every launch. The Workspace web extension allows

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 80

Citrix Workspace

the web client to seamlessly opens desktops and apps with no browser pop‑ups.The Citrix Workspace
web client can leverage the extension’s functionality to open apps and desktops in native Citrix Work‑
space app without verifying through client detection whether the Citrix Workspace app is installed
locally. This provides a more seamless experience for users in opening apps or desktops as the client
detection step is bypassed.

More reliable launches for StoreFront GSLB deployments

When using multiple StoreFront deployments behind a Global Server Load Balancer (GSLB), the re‑
sponses might be directed to the wrong server, leading to failures in opening apps and desktops.
This can be mitigated through GSLB configuration but it is complex to configure. Citrix Workspace
web extension allows for reliable client detection and opening of apps and desktops with no special
configuration for GSLB deployments.

Service Continuity for Workspace

If a user is unable to sign in to their Workspace, Service Continuity enables them to open their re‑
sources in offline mode. For more information, see Service Continuity.

When accessing the Workspace web client, users must install Citrix Workspace web extension to en‑
able service continuity. During the initial sign in, the extension stores connection leases. Subse‑
quently, if sign‑in fails after 60 seconds, the web extension displays a prompt to use Offline Mode.

Users can continue their work without losing their data, enhancing work productivity. Once connec‑
tivity is restored, users can click Reconnect to Workspace to switch to online mode.
Note:

This functionality applies only when using Workspace, not StoreFront.

This new offline mode prompt is applicable only to Chrome and Edge browsers. For Safari
browser, the old prompt remains unchanged.

App Protection for Workspace

When using Workspace, the web extension allows users to view and open apps that have App Pro‑
tection enabled. This feature prevents unauthorized access to sensitive information from apps by

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 81

Citrix Workspace

protecting users from keylogging, screen capturing, and other security threats.

For more information, see App Protection.

Note:

Unlike Workspace, StoreFront doesn’t require Workspace web extensions for App Protection. For
more information, see StoreFront documentation.

Install Citrix Workspace web extension

For more information on the installation of the web extension, see Citrix Workspace web extension.

Reference articles

• Citrix Workspace web extensions on StoreFront

• Citrix Workspace product documentation
• Citrix Workspace app product documentation
• Support for browser extensions on Citrix Enterprise Browser
• Get secure, reliable access to Citrix Workspace through Citrix Workspace browser extension
• Service Continuity ‑ Citrix Workspace with DaaS Deployments

Install Citrix Workspace web extension

October 14, 2024

Administrators and end users can add the extension to user devices based on the following instruc‑
tions.

1. Download Citrix Workspace web extension from the preferred browser’s web store.

• Chrome Web Store

• Microsoft Edge Addons
• Mac app store

2. Add the extension from your preferred browser app store.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 82

Citrix Workspace

3. Confirm the pop‑up message to add the extension to the browser.

Once the extension is added, you can see the extension icon displayed under the Extensions button
on the toolbar. The extension becomes activated only when a user visits the web client. Otherwise, it
stays inactive.

(Recommended) For easy access, you can even pin the extension based on your browser setting.

The extension automatically detects whether Citrix Workspace app is installed locally on your device,
and it displays the app version.

Login Timeout: Manage the offline mode prompt through the Citrix Workspace Web extension in the
browser. To turn off the offline mode prompt, click the extension icon and disable the toggle button.

Work Offline: Manually switch to offline mode without waiting 60 seconds for the offline mode
prompt. This option is also useful in the case where Login Timeout is disabled.

Troubleshoot: You can collect the error logs using the Download Logs option when there are any
issues.

Read More: Click this link to learn more about the Service Continuity feature.

Once the web extension is added, you can verify whether it is activated and opens apps and desktops
on the native app. You can verify it by navigating to Settings > Advanced.

If you are using the next‑generation UI, the Settings screen displays the message Apps and desk‑
tops will launch in your Citrix Workspace app on your device using Citrix Workspace web exten‑
sion.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 83

Citrix Workspace

If you are using on‑prem StoreFront with the Unified UI, click Change Citrix Workspace app. If the
web extension is detected, it displays the message Citrix Workspace app is successfully detected
via the browser extension.

Deploy web extension on managed devices

If the device is managed by an organization, Administrators have to install the extension on user’s
devices using Group Policy Object (GPO).

Depending on the browser and operating system, you can automatically deploy the Citrix Workspace
web extensions to devices that you manage.

• To deploy Microsoft Edge extensions, see Use group policies to manage Microsoft Edge exten‑
sions.
• To deploy Google Chrome extensions using group policy, see Set Chrome app and extension
policies (Windows).

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 84

Citrix Workspace

• To deploy Chrome extensions using Google Admin console, see Automatically install apps and
extensions.

Note:

• To add the extension on Citrix Enterprise Browser, administrators need to add the exten‑
sion in the Allowed list. For more information, see Support for browser extensions in Citrix
Enterprise Browser documentation.

• By default, Citrix Workspace web extension gets auto‑updated with every new release.

Workspace offline mode prompt

September 27, 2024

The new prompt brings enhancements in the following areas: improved design, enhanced behavior,
and loading time.

Design

The new prompt now appear as a pop‑up on the screen. Previously, the prompt appeared as a new
page that required the user to either reinitiate the authentication or work offline. However, the new
pop‑up design doesn’t need a mandatory response from a user. It provides an option to the user to
choose the offline mode if they encounter any connectivity issues. The new prompt is less intrusive
and allows users to continue with their ongoing authentication process.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 85

Citrix Workspace

Additionally, the new prompt is movable, allowing the user to drag it anywhere on the screen to see
the content behind it.

Behavior and loading time

Significant enhancements are made to the behavior and loading time of the offline mode prompt.

Old behavior: Previously, the prompt appeared within 30 seconds after the user entered the store
URL in the browser. Sometimes it might take some extra time for users to sign in to Workspace store
due to reasons such as waiting for a push notification, entering 2‑factor authentication code, webpage
loading time, etc. If user authentication exceeds the 30‑seconds threshold due to these reasons, the
prompt would appear, interrupting the authentication process.

The user response to the prompt is mandatory and leaves them with only two options: either switch
to offline mode or retry the authentication process. Choosing the retry option required the user to
reinitiate the whole process, and they had no option to continue with the ongoing authentication
process once the prompt window appears.

New behavior: The enhanced offline prompt is less intrusive, as it doesn’t interrupt the ongoing user
authentication. Users can choose either to continue with the authentication process or can use the
offline mode if they are facing any connectivity issues.

The offline mode prompt now appears on the webpage only after 60 seconds, without interrupting the
ongoing user authentication process. Due to some reasons if IdP domain fails to respond, the browser
doesn’t load any page. In such scenarios, a dialog box appears for offline mode instead of the usual
pop‑up prompt.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 86

Citrix Workspace

Configure access to workspaces

July 29, 2024

When you first enable Workspace, a default cloud.com Workspace URL to allow users to access the
Workspace from their locally installed Citrix Workspace app or web browsers. You can customize this
URL or add additional URLs. For more information, see Workspace URL in this article.

For information on how users can connect to Citrix Workspace, see User access options.

To configure how users authenticate to Workspace, see Configure Authentication.

When a user launches a resource, the user’s device must be able to reach the Virtual Delivery Agent
(VDA). For internal users, the endpoint must connect directly to the IP address of the Virtual Delivery
Agent (VDA). Remote users can gain external access to their resources if you configure external connec‑
tivity with Citrix Gateway or the Citrix Gateway service. For information on enabling remote access to
workspaces, see External connectivity in this article.

To configure access settings:

1. Go to Citrix Cloud and sign in with your credentials.

2. Navigate to Workspace Configuration > Access.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 87

Citrix Workspace

Workspace URL

To configure the cloud.com URLs your end‑users use to access their workspace, see Configure Work‑
space URLs.

Custom Domain

In addition to the cloud.com Workspace URLs, you can use your own custom domain in place of the
default Workspace URL. For more information, see Configure a custom domain.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 88

Citrix Workspace

Adaptive Access

The Adaptive access feature enables admins to provide granular level access to the apps that users
can access based on the context. For more information, see Adaptive access.

To enable Adaptive Access

1. Go to the Access tab

2. Go to the section Adaptive access and click the toggle. A confirmation screen appears.
3. Press Enable.

To disable Adaptive Access:

1. Go to the Access tab

2. Go to the section Adaptive access and click the toggle. A confirmation screen appears.
3. Press Disable.

External connectivity

Provide secure access for remote subscribers by adding Citrix Gateways or the Citrix Gateway service
to resource locations.

Citrix supports the following external connectivity options:

• Citrix hosts Citrix Gateway and Citrix ADC

• You host Citrix Gateway and Citrix ADC on‑premises

You can add Citrix Gateways from Workspace Configuration > Access > External Connectivity or
from Citrix Cloud > Resource Locations.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 89

Citrix Workspace

Note:

The External Connectivity part of the Workspace Configuration > Access page isn’t available in
Citrix Virtual Apps Essentials. The Citrix Virtual Apps Essentials service uses the Citrix Gateway
service, which requires no additional configuration.

Configure a custom domain

September 24, 2024

Configuring a custom domain for your workspace allows you to use a domain of your choice to access
your Citrix Workspace store. You can then use this domain in place of your assigned cloud.com domain
for access from both a web browser and Citrix Workspace applications.
A custom domain can’t be shared with other Citrix Workspace customers. Each custom domain must
be unique to that customer. Ensure that you choose the custom domain that you don’t want to assign
to another customer, unless you’re willing to remove the custom domain later.
Disabling the Workspace URL within the Citrix Cloud doesn’t disable Citrix Workspace access through
the custom domain. To disable Citrix Workspace access when using a custom domain, also disable
the custom domain.

Supported scenarios

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 90

Citrix Workspace

Scenarios Supported Not supported

Identity providers AD (+Token), Microsoft Entra ID Google

(formerly Microsoft Azure AD),
Citrix Gateway, Okta, and SAML
Resource types Virtual Apps and Desktops Web apps, SaaS apps, and
published content
Access methods Browser (excluding Internet ‑
Explorer), Citrix Workspace app
for Windows, Mac, Linux, and
iOS apps
Usage Workspace Cloud Connector and Cloud
Administrator Console

Prerequisites

• You can either choose a newly registered domain, or one that you already own. The domain
must be in subdomain format (your.company.com). Citrix doesn’t support using just a root do‑
main (company.com).
• It recommended that you use a dedicated domain as a custom domain for Citrix Workspace
access. It helps you change the domain easily, if necessary.
• Custom domains cannot contain any Citrix trademarks. Find the full list of Citrix trademarks
here.
• The domain you choose must be configured in the public DNS. Any CNAME record names and
values included in your domain configuration must be resolvable by Citrix.

Note:

Private DNS configurations are not supported.

• The length of the domain name must not exceed 64 characters.

Configuring your custom domain

Once a custom domain is set, you can’t change the URL or certificate type. You can only delete it. En‑
sure that the domain you choose isn’t already configured in DNS. Remove any existing CNAME records
before attempting to configure your custom domain.
If you’re using SAML to connect to your Identity Provider, you need to perform an extra step to com‑
plete the SAML configuration. For more information, see SAML.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 91

Citrix Workspace

Note:

When adding the custom URL and configuring SAML, Citrix Cloud requires 24 hours for provision‑
ing.

Adding a custom domain

1. Sign in to Citrix Cloud.

2. From the Citrix Cloud menu, select Workspace Configuration and then select Access.

3. On the Access tab, under Custom Workspace URL select + Add your own domain.

4. Read the information that appears on the Overview page, and select Next.

5. Enter your chosen domain in the Provide a URL page. Confirm that you own the specified do‑
main by selecting Confirm that you or your company own the URL provided, and choose your
TLS certificate management preference. It is recommended selecting managed, as the certifi‑
cate renewals are handled for you. For more information, see Providing a renewed certificate.
Click Next.

If any warnings appear on this page, correct the highlighted issue to proceed.

If you have chosen to provide your own certificate, there’s an extra step to complete in the in‑
structions.

Provisioning of your chosen domain takes some time. You can wait with the page open or close
it while provisioning is in progress.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 92

Citrix Workspace

6. If you have the Provide a URL page open while provisioning completes, the Configure your
DNS page opens automatically. If you have closed the page, select the Continue button for
your custom domain from the Access tab.

7. Perform this step in the management portal provided by your DNS registrar. Add a CNAME
record for your chosen custom domain that points to the Azure Traffic Manager assigned to you.
Copy the address of the traffic manager from the Configure your DNS page. The address in the
example is as follows:
wsp‑cd‑eastus2‑production‑traffic‑manager‑profile‑1‑52183.trafficmanager.net
If you have any Certificate Authority Authorization (CAA) records configured in your DNS, add

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 93

Citrix Workspace

one that allows Let’s Encrypt to generate certificates for your domain. Let’s Encrypt is the Cer‑
tificate Authority (CA) that Citrix uses to generate a certificate for your custom domain. The
value for the CAA record must be as follows: 0 issue “letsencrypt.org”

8. Once you configure the CNAME record with your DNS provider, select Detect CNAME record to
verify that your DNS configuration is correct. If the CNAME record has been configured correctly,
a green tick appears next to the CNAME configuration section.

If any warnings appear on this page, correct the highlighted issue to continue.

If you have any CAA records configured with your DNS provider a separate CAA configuration
appears. Select Detect CAA record to verify that your DNS configuration is correct. If your CAA
record configuration is correct, a green tick appears next to the CAA configuration section.

When your DNS configuration is verified, click Next.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 94

Citrix Workspace

9. This is an optional step. If you chose to add your own certificate, complete the required infor‑
mation on the Add your own certificate page.

Note:

Password protected certificates are not supported.

If any warnings appear on this page, correct the highlighted issue to proceed.
Ensure that the certificate fulfills the following conditions.

• It must be PEM encoded.

• It must remain valid for at least the next 30 days.
• It must be used exclusively for the custom Workspace URL. Wildcard certificates are not
acceptable.
• The common name of the certificate must match the custom domain.
• SANs on the certificate must be for the custom domain. Additional SANs are not allowed.
• The duration for which the certificate is valid must not exceed 10 years.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 95

Citrix Workspace

Note:

It is recommended that you use a certificate using a secure cryptographic hash function
(SHA 256 or > higher). You are responsible for renewing the certificate. If your certificate
has expired or is about to expire, see the Providing a renewed certificate section.

10. This is an optional step. If you’re using SAML as your Identity Provider, supply the related
configuration. Complete the required information on the Configure for SAML page.

Use the following details when configuring the application in your Identity Provider:

Property Value

Audience https://saml.cloud.com
Recipient https://<your custom domain>/saml
/acs
ACS URL Validator https://<your custom domain>/saml
/acs
ACS Consumer URL https://<your custom domain>/saml
/acs
Single Logout URL https://<your custom domain>/saml
/logout/callback

11. Read the information that appears on the Provision your domain page and acknowledge the
given instructions. When you’re ready to continue, select Agree and continue.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 96

Citrix Workspace

This final provisioning step can take some time to complete. You can wait with the page open
while the operation completes, or you can close the page.

Deleting a custom domain

Deleting a custom domain from your customer removes the ability to access Citrix Workspace using
a custom domain. After deleting the custom domain, you can only access Citrix Workspace using the
cloud.com address.

When you delete a custom domain, ensure that the CNAME record is removed from your DNS
provider.

To delete a custom domain,

1. Sign in to Citrix Cloud.

2. From the Citrix Cloud menu, select Workspace Configuration > Access.

3. Expand the context menu (…) for the custom domain on the Access tab, and select Delete.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 97

Citrix Workspace

4. Read the information that appears on the Delete custom domain page and acknowledge the
given instructions. When you’re ready to continue, select Delete.

Deleting a custom domain takes some time to complete. You can wait with the page open while
the operation completes, or you can close the page.

Providing a renewed certificate

1. Sign in to Citrix Cloud.

2. From the Citrix Cloud menu, select Workspace Configuration > Access.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 98

Citrix Workspace

3. The certificate’s expiration date is shown alongside the custom domain that it is assigned to.

When your certificate is about to expire in 30 days or less, your custom domain displays a warn‑
ing.

4. Expand the context menu (…) for the custom domain on the Access tab. Select Update certifi‑
cate.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 99

Citrix Workspace

5. Enter the required information on the Update certificate page, and Save.

If any warnings appear on this page, correct the highlighted issue to proceed.

The certificate must meet the same requirements as when the custom domain was created. For more
information, see Adding a custom domain.

Configuring your identity provider

Configuring Okta

Perform the following steps if you are using Okta as the identity provider for Citrix Workspace ac‑
cess.

1. Sign in to the administrator portal for your Okta instance. This instance contains the application
that is used by Citrix Cloud.

2. Expand Applications then select Applications in the menu.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 100

Citrix Workspace

3. Open the application linked to Citrix Cloud.

4. Select Edit in the General Settings section.

5. In the LOGIN section of General Settings, add a value for Sign‑in redirect URIs. Add the new

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 101

Citrix Workspace

value without replacing any existing values. The new value must be of the following format:
<https://your.company.com/core/login-okta>

6. In the same section add another value for Sign‑out redirect URIs. Add the new value without
replacing any existing values. The new value must be in the following format: <https://
your.company.com>

7. Click Save to store the new configuration.

Note:

To configure SAML with your custom domain, follow the procedure mentioned in SAML configu‑
ration.

Configuring OAuth Policies and Profiles

Important

The existing OAuth policy and profile that links Citrix Cloud and Citrix Gateway or your Adaptive
Authentication HA pair together, must be updated only if the OAuth credentials are lost. Altering
this policy risks breaking the link between Citrix Cloud and Workspaces and affects your ability
to log in to Workspaces.

Configuring Citrix Gateway

The Citrix Cloud admin has the access to the unencrypted client secret. These credentials are provided
by Citrix Cloud during the Citrix Gateway linking process within Identity and Access Management >

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 102

Citrix Workspace

Authentication. The OAuth profile and policy is created by the Citrix admin. It is created manually
on Citrix Gateway during the connection process.

You need the client ID and unencrypted client secret that were provided during the Citrix Gateway
connection process. These credentials are provided by Citrix Cloud and have been saved securely.
The unencrypted secret is needed to use both the Citrix ADC interface or the command‑line interface
(CLI) to create a OAuth policy and profile.

Here’s an example of the UI when the client ID and secret are provided to the Citrix Admin.

Note:

The admin cannot obtain a copy of the unencrypted secret after the Citrix Gateway has been
connected. They must save the credentials during the connection process.

Using Citrix Cloud Perform these steps to add another OAuth profile and policy using the Citrix
Gateway interface:

1. From the menu select Security > AAA ‑ Application Traffic > OAuth IDP. Select the existing
OAuth policy and click Add.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 103

Citrix Workspace

2. When prompted, modify the name of the new OAuth policy to be different from the existing
policy selected the previous step. Citrix suggests adding a custom‑URL to its name.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 104

Citrix Workspace

3. On the Citrix Gateway GUI, create your existing OAuth Profile

4. On the same GUI menu click Add.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 105

Citrix Workspace

5. On the Citrix Gateway GUI, bind the new OAuth Policy to your existing authentication, autho‑
rization, and auditing virtual server.

6. Navigate to Security > Virtual Servers > Edit.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 106

Citrix Workspace

Using the command‑line interface (CLI)

Important

If you don’t have a copy of the OAuth credentials saved securely, you need to disconnect and
reconnect your Citrix Gateway. Update your existing OAuth profile with new OAuth credentials
provided by Citrix Cloud Identity and Access Management. This procedure is not recommended
and must be used only if the old credentials are unrecoverable.

1. Use an SSH tool such as PuTTY to connect to your Citrix Gateway instance.

2. Create the OAuthProfile and OAuthPolicy. Add authentication OAuthIDPProfile.

"CustomDomain-OAuthProfile"-clientID "<clientID>"-clientSecret "<

unencrypted client secret>"-redirectURL "https://hostname.domain.
com/core/login-cip"-audience "<clientID>"-sendPassword ON

add authentication OAuthIDPPolicy "CustomDomain-OAuthPol"-rule

true -action "CustomDomain-OAuthProfile"

3. Bind the OAuthPolicy to the correct authentication, authorization, and auditing virtual server
with a lower priority than the existing policy. This instance assumes that the existing policy has
a priority of 10, so 20 is used for the new policy. Bind authentication virtual server.

"CitrixGatewayAAAvServer"-policy "CustomDomain-OAuthPol"-priority
20

Configuring Adaptive Authentication

Important

The encrypted secret and encryption parameters for the OAuth profile are different on the Adap‑
tive Authentication primary vs secondary HA gateways. Make sure you obtain the encrypted se‑
cret from the primary HA gateway and also run these commands on the primary HA gateway.

The Citrix Cloud admin doesn’t have access to the unencrypted client secret. The OAuth policy and
profile is created by the Citrix Adaptive auth service during the provisioning phase. It is necessary to
use the encrypted secret and CLI commands obtained from the ns.conf file to create OAuth profiles.
This cannot be performed using the Citrix ADC UI. Bind the new Custom URL OAuthPolicy to your ex‑
isting authentication, authorization, and auditing virtual server using a higher priority number than
the existing policy that is bound to your existing authentication, authorization, and auditing virtual

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 107

Citrix Workspace

server. The lower priority numbers are evaluated first. Set the existing policy to be priority 10 and the
new policy to be priority 20 to ensure they are evaluated in the correct order.

1. Connect to your Adaptive Authentication primary node using an SSH tool like PuTTY.

show ha node

2. Locate the line within the running configuration of the primary HA gateway containing your ex‑
isting OAuth Profile.

sh runn | grep oauth

3. Copy the output from the Citrix ADC CLI including all encryption parameters.

4. Modify the line that you copied from the previous step. Use it to construct a new CLI command
that allows you to create an OAuth profile using the encrypted version of the client ID. All en‑
cryption parameters must be included.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 108

Citrix Workspace

• Update the name of the OAuth profile to CustomDomain‑OAuthProfile

• Update the ‑redirectURL to https://hostname.domain.com/core/login‑cip

Following example covers both updates.

add authentication OAuthIDPProfile "CustomDomain-OAuthProfile"-

clientID b1656835-20d1-4f6b-addd-1a531fd253f6 -clientSecret <long
encrypted client Secret> -encrypted -encryptmethod ENCMTHD_3
-kek -suffix 2023_04_19_09_12_25 -redirectURL "https://hostname
.domain.com/core/login-cip"-audience b1656835-20d1-4f6b-addd-1
a531fd253f6 -sendPassword ON

add authentication OAuthIDPPolicy "CustomDomain-OAuthPol"-rule

true -action "CustomDomain-OAuthProfile"

5. Bind the OAuthPolicy to the correct authentication, authorization, and auditing virtual server
with a lower priority than the existing policy. The authentication, authorization, and auditing
virtual server name for all Adaptive Authentication deployments is the name auth_vs. This in‑
stance assumes that the existing policy has a priority of 10, so 20 is used for the new policy.

bind authentication vserver "auth_vs"-policy "CustomDomain-

OAuthPol"-priority 20

Known limitations

Some known limitations of the custom domain solution are as follows:

Workspace platform

• A custom domain can only be linked to the default Workspace URL. Other Workspace URLs
added through the multi‑URL feature can’t have a custom domain.
• If you have a custom domain configured on the previous solution and are using SAML or Mi‑
crosoft Entra ID to authenticate Citrix Workspace access, you’re unable to configure a custom
domain on the new solution without deleting your existing custom domain first.
• When you use Citrix Workspace Web Extension and access custom domain accounts, the service
continuity feature doesn’t work. [WSP‑23564]

Citrix Workspace app for Windows

• This feature is not supported on Citrix Workspace app for Windows version 2305 and 2307. Up‑
date to the latest supported version.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 109

Citrix Workspace

Configure Workspace URLs

August 29, 2024

Overview

When you first enable Workspace, the system creates a Workspace URL of the form customername
.cloud.com that can be used to access the Workspace from web browsers or locally installed Citrix
Workspace app.

You can add additional cloud.com URLs. If you have defined multiple Workspace URLs, you can use
these URLs as policy inputs. For example, you might want different branding, authentication methods,
and resources for different divisions within your organization.

You can also use your own custom domain as an alias for your default cloud.com domain. For more
information, see configure custom domain.

Store name

Each Workspace URL has a Store name. This name is displayed in the Accounts list within Citrix Work‑
space app.

You configure whether the user can modify the store name within Citrix Workspace app. To allow users
to edit their store name from the Citrix Workspace app, users must be on the following versions of the
Citrix Workspace app clients:

• Citrix Workspace app for Windows version 2405 or later

• Citrix Workspace app for iOS version 24.2.0 or later
• Citrix Workspace app for Mac version 2402

Enable or Disable Workspace URL

You can disable all access to your Workspaces for cloud.com URLs. This affects both locally installed
Citrix Workspace app and browsers. Users can continue to use a Custom Workspace URL to access the
default Workspace. If you do not have a Custom Workspace URL then this blocks all access.

To disable access via cloud.com:

1. Untick Workspace URL enabled. This brings up a confirmation screen.

2. Select the checkboxes to confirm you understand.
3. Press Disable.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 110

Citrix Workspace

View URLs

1. Go to Citrix Cloud and sign in with your credentials.

2. Navigate to Workspace Configuration > Access. Under Workspace URL, you can find a list of
existing URLs.

Add Workspace URLs

You can create up to 10 URLs. The workspace URL that you select must be unique. Citrix Cloud re‑
jects Workspace URLs that are already in use by other customers. It’s recommended to use a naming
convention that contains a string that is unique to your organization.

Note:

Avoid using generic URLs such as workspace.cloud.comor mystore.cloud.com.

For example, you can create URLs using the following format:

• YourOrgsales.cloud.com
• YourOrgengineering.cloud.com
• YourOrgmarketing.cloud.com

From the Access tab, to add a URL:

1. Click + Add Workspace URL

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 111

Citrix Workspace

2. Enter a store name.

3. Choose whether you wish the user to be able to modify the store name within Citrix Workspace
app.

4. Enter the subdomain.

5. Select the checkboxes as an acknowledgment that you must provide the new URLs to your end
users post configuration.

6. Click Add to save the URL.

Modify Workspace URL

Warning:

When you rename a URL, the old URL is immediately removed and is no longer available. Tell
subscribers what the new URL is and manually update all local Citrix Workspace apps to use the
new URL. The new URL will be unavailable for up to 10 minutes. If the URL is used in any policy
then you must manually update that policy.

1. Click the … on the row of the Workspace URL you wish to edit.

2. Modify the Store name and Workspace URL as required.

3. If you modified the URL then you must tick several checkboxes to acknowledge that you under‑
stand the consequences.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 112

Citrix Workspace

1. Press Edit to save the changes

Configure Workspace URLs using PowerShell

You can also use the PowerShell API to add or change Workspace URLs.

Run the cmdlet Set-WorkspaceCustomConfigurations with the $WorkspaceHosts list as

the argument to the -WorkspaceHosts parameter to update the URL list for the workspace. Give
the existing URL as the argument to the -WorkspaceUrl parameter. For example:

1 # Set a variable to the value of existing URL for the workspace.

2 $WSPURL = "wspmultiurlmain.cloud.com"
3
4 # Specify the new URLs that you want to create in a list, including any
existing URLs.
5 $WorkspaceHosts = @($WSPURL,"wspmultiurl2.cloud.com","wspmultiurl3.
cloud.com")
6
7 # Update the configuration
8 Set-WorkspaceCustomConfigurations -WorkspaceUrl $WSPURL `
9 -WorkspaceHosts $WorkspaceHosts `
10 -ClientId $APIClientID `
11 -ClientSecret $APIClientSecret `
12 -Verbose

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 113

Citrix Workspace

Configure themes and logos based on Workspace URLs

With the multiple URL feature, you can create and assign separate Appearance themes and logos for
each of the URLs. It enables you to vary the theme and logo that is visible to end users, based on the
Workspace URL.

To create themes and logos based on URLs:

Sign in to the Citrix Cloud Console portal.

1. Navigate to Workspace Configuration > Customize > Appearance.

2. Select Add theme or modify an existing theme using the edit option.
3. On the AfterSign‑in Appearance tab, upload the logo and select the theme colors.
4. On the Theme Details tab, enter the required Workspace URL in the Assign access domain
field.

5. Save your theme configuration. For more information on creating a theme, see Create multiple
custom themes.

Application of themes

Themes can be configured and applied for the following use cases:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 114

Citrix Workspace

• Apply theme to a specific URL: The configured theme applies to any end user using te partic‑
ular Workspace URL. The user group membership isn’t considered as a factor in these cases.
• Apply the theme to one or more user groups: The theme applies to end users who belong to
any of the selected user groups. In this case, the theme is applied regardless of the URL used.
• Apply theme to a specific URL and one or more user groups: The theme applies to an end
user if they belong to any of the selected user groups and are using the particular URL.

The theme prioritization mechanism is the same as before. For more information, see Prioritize cus‑
tom themes

In case no theme has been configured, the default theme is applied. It’s also applied in the following
scenarios:

• When viewing any pre‑login messages or UI

• When viewing the sign‑in screen, unless a third‑party provider is used which has its own sign‑in
page
• After sign‑in, if no appearance theme is configured for the URL

Filter resources based on Workspace URLs

With the new multiple Workspace URL feature, you can filter and deliver resources based on the Work‑
space URL that the end users are using.
There are two methods to filter resources based on Workspace URLs:

• Using Secure Private Access(SPA)

• Using DaaS Admin Console (Studio)

Resource filtering using Secure Private Access

While configuring Citrix DaaS with Secure Private Access, you can control the end user’s access to
resources. You can implement this by configuring Access policies based on Workspace URLs. Access
Policies can be configured for delivery groups using the Workspace URL filter.

For more information, see Citrix Secure Private Access

Resource Filtering using DaaS admin console (Studio)

You can now configure Access Policies for delivery groups based on Workspace URLs. You can control
end users’access to resources based on the Workspace URL that they’re using.
To configure an Access Policy for delivery groups based on Workspace URLs, you need to apply the
following SmartAccess filters. The filter values are also sent as SmartAccess tags to the DaaS service.
It is applicable in both the scenarios:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 115

Citrix Workspace

• while listing apps and desktops published by DaaS

• while launching an app or desktop

Filter Value Description

Citrix.Workspace.UsingDomain example.cloud.com Allows filtering of delivery

Citrix‑Via‑Workspace
group resources by Workspace
URL. The value is the fully
qualified domain name of the
Workspace URL.
True Indicates that the end user is
using the Workspace service,
rather than an on‑premises
StoreFront deployment.

Note:

The SmartAccess tags are sent automatically. DaaS treats requests from Workspace as being not
through Citrix Gateway. If you are not using Network Location or Device Posture, you need to
add filter criteria for these filters to the Non‑Citrix Gateway Connections rule.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 116

Citrix Workspace

This allows filtering of apps and desktops within a delivery group, based on the following criteria:

• the workspace URL that is being used by the end users

• whether users have signed into Workspace or StoreFront

For more information on configuring an access policy for a delivery group, see Manage delivery
groups.

Note:

Enabling the adaptive access (Network Location or Device Posture) features causes DaaS to treat
requests via Workspace as via Gateway. If either feature is switched on, the multiple URL filter
criteria need to be added to the Citrix Gateway Connections rule instead. These features cause
other SmartAccess tags to be sent. For more information, see Adaptive Access based on user’s
network location and Device Posture.

Create an access policy rule for multiple URL workflows

1. To create an access policy rule, go to Edit Delivery Group > Access Policy, and click Add. Access
policies can only be changed once a delivery group has been created.
2. Add a descriptive policy name.
3. Select one of the following criteria for your filters:

• Match any: The access policy allows access if any of the given filter criteria matches the
incoming request.
• Match all: The access policy allows access only if all of the given filter criteria match the
incoming request.

4. Add values for the **Citrix.Workspace.UsingDomain** and **Citrix-Via-

Workspace** filters.

For example, in the following scenario the use of Match any filter means that this rule allows
access from either a user using , or a user connecting from an internal network (as per the Network
Location configuration). For more information, see [Adaptive access based on user’s network
location](/en‑us/citrix‑daas/manage‑deployment/adaptive‑access/adaptive‑access‑based‑on‑users‑
network‑location.html).

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 117

Citrix Workspace

Changing the filter to Match all would mean that the rule only allows access to a user using
<wspmultiurlmain.cloud.com> from an internal network.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 118

Citrix Workspace

Once you confirm the changes, the new policy appears on the Access Policy page. For more informa‑
tion, see Manage Delivery Groups

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 119

Citrix Workspace

Configure nFactor authentication flows based on Workspace URLs

You can associate authentication policies with a Workspace URL using the Adaptive Authentication
service. This enables you to configure different authentication policies for the end users based on the
Workspace URL they’re using.
You can create a policy or edit an existing one to associate it with a Workspace URL. Use one of the
following methods:

• Configure multiple authentication policies using UI

• Configure multiple authentication policies using the Command Line interface

Configure multiple authentication policies using the UI

The Adaptive Authentication service lets you create policies that authenticate your end users based
on the Workspace URL that they’re using.

Step 1: Configure a series of authentication actions and policies that you want to use for the Work‑
space URLs. The policy configuration depends on the type of authentication and the authentication
factors that you want to use. Any supported nFactor authentication flow can be used.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 120

Citrix Workspace

For more information, see Adaptive Authentication

For example, consider the following scenario where:

• The first URL <https://wspmultiurlmain.cloud.com> must be mapped to LDAP au‑

thentication and OTP.
• The second URL <https://wspmultiurl2.cloud.com> must be mapped to LDAP au‑
thentication.
• The third URL <https://wspmultiurl3.cloud.com> must have End User Cert authen‑
tication

Policy syntax

Check for a particular Workspace URL using exact string matching.

1 AAA.USER.WSP.EQ("wspmultiurlmain.cloud.com")

Check whether a particular string is contained within a Workspace URL, using substring matching.

1 AAA.USER.WSP.CONTAINS("wspmultiurlmain")

Step 2: Configure an authentication policy and add your Workspace URL as the expression. The au‑
thentication policy is then valid for the Workspace URL that you entered in the Expression text field.

Step 3: Once you have configured authentication policies based on your URLs, you need to bind them
to your authentication virtual server. For more information, see Authentication policies.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 121

Citrix Workspace

Send SmartAccess tags to DaaS based on Workspace URL

DaaS delivery groups support SmartAccess tags based on the Workspace URL used. The tags can be
a fixed set as explained in Configure Workspace to filter DaaS resources based on Workspace URL or
you can use the Citrix.Workspace.UsingDomain filter or any other SmartAccess tag you want to use
to influence DaaS resource enumeration behavior. The AAA admin can define multiple conditions that
control when SmartAccess tags are sent to DaaS delivery groups.

1. Configure a SmartAccess tag profile with a tag string that you want to send to DaaS.

2. Configure a SmartAccess tag policy expression and link the policy to the action you created ear‑
lier.

3. Now bind the authentication policies to your AAA virtual server.

Configure multiple authentication policies using the Command Line Interface

Send a SmartAccess tag based on the Workspace URL used

Create the SmartAccess Tag profiles

1 add authentication smartAccessProfile WSPMultiURLMain-
SmartAccessProfile -tags "WSPMultiURLMain"
2
3 add authentication smartAccessProfile WSPMultiURL2-SmartAccessProfile -
tags "WSPMultiURL2"
4
5 add authentication smartAccessProfile WSPMultiURL3-SmartAccessProfile -
tags "WSPMultiURL3"

Create the Smart Access Tag policies

1 add authentication smartAccessPolicy WSPMultiURLMain-SmartAccessPol -
rule "AAA.USER.WSP.EQ(\"wspmultiurlmain.cloud.com\")" -action
WSPMultiURLMain-SmartAccessProfile
2
3 add authentication smartAccessPolicy WSPMultiURL2-SmartAccessPol -rule
"AAA.USER.WSP.EQ(\"wspmultiurl2.cloud.com\")" -action WSPMultiURL2-
SmartAccessProfile
4
5 add authentication smartAccessPolicy WSPMultiURL3-SmartAccessPol -rule
"AAA.USER.WSP.EQ(\"wspmultiurl3.cloud.com\")" -action WSPMultiURL3-
SmartAccessProfile

Show Smart Access Profiles and Policies

1 show authentication smartAccessProfile
2 show authentication smartAccessPolicy

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 122

Citrix Workspace

Bind the Policies to the Adaptive Authentication virtual server called “auth_vs”
1 bind authentication vserver auth_vs -policy WSPMultiURLMain-
SmartAccessPol -priority 10
2
3 bind authentication vserver auth_vs -policy WSPMultiURL2-SmartAccessPol
-priority 20
4
5 bind authentication vserver auth_vs -policy WSPMultiURL3-SmartAccessPol
-priority 30

Email Discovery to add Workspace URLs to Citrix Workspace app

Email discovery adds all the Workspace URLs configured in the list of service URLs as stores. If you
want to add two or more stores through email discovery, configure each Workspace URL as a service
URL. It ensures that the URLs are added as stores during the email discovery process.
You can use either of the following methods to add stores:

• Global App Configuration service UI: For more info, see Configure settings for cloud store

• Global App Configuration API: You can use the preceding portal to make an API call to POST
/aca/discovery/app/workspace/domain using your registered domain For more info, see Global
App Configuration service API.

If <[email protected]> is entered in the Citrix Workspace app, the Email Discovery service
adds all stores listed in service URLs. You can use a UPN, or an email address when it contains the
correct domain suffix mydomain.com.

Known limitations

The following are some limitations that impact the multiple URL feature.

Workspace Platform

• You can’t disable individual URLs. If you disable a Workspace URL within the Citrix Cloud admin
console, it disables all the configured URLs.

Citrix Virtual Apps and Desktops

• Resource filtering using Workspace URL for Citrix Virtual Apps and Desktops (on‑premises ag‑
gregation) isn’t supported.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 123

Citrix Workspace

Custom Workspace Domain The workspace is limited to a single custom domain. It’s always linked
to the Workspace URL marked as Default in the admin console.

Citrix Workspace app To add multiple URLs from the same customer as stores, users must be on
the following versions of the Citrix Workspace app clients:

• Citrix Workspace app for Windows version 2302 or later

• Citrix Workspace app for iOS version 2303 or later
• Citrix Workspace app for Android version 2303 or later
• Citrix Workspace app for Linux version 2303 or later
• Citrix Workspace app for Mac version 2305
• Citrix Workspace app for iOS version 2303
• Older versions of Citrix Workspace app display a Workspace domain selector menu. In this case,
the end user must select the same URL they entered when adding the store. Selecting a different
URL requires the user to sign in again.

Global App Configuration Service

• If the Global App Configuration service settings are configured for multiple Workspace URLs,
then only one Workspace URL can be added to Citrix Workspace app at a time. Adding
a second URL to Citrix Workspace app fails. For example, If GACS settings are configured
for both <https://wspmultiurlmain.yourdomain.com:443> and <https://
wspmultiurl2.yourdomain.com:443> , then the user can add only one URL to Citrix
Workspace app.
• Account addition fails if more than one GACS configured URL is found during the Global
App Configuration service discovery. For example, consider a case where a user enters
<[email protected]> in Citrix Workspace app. The domain‑based discovery finds two
results and GACS settings are configured for both of them. The response returned is: <https
://wspmultiurlmain.yourdomain.com:443> and <https://wspmultiurl2.
yourdomain.com:443>. In this case, account addition fails with Citrix Workspace app as it
supports adding only one account with GACS settings configuration.

1 {
2
3 "items": [
4 {
5
6 "domain": {
7
8 "name": "yourdomain.com"
9 }
10 ,

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 124

Citrix Workspace

11 "app": {
12
13 "workspace": {
14
15 "serviceURLs": [
16 {
17
18 "url": "https://wspmultiurlmain.yourdomain.com:443"
19 }
20 ,
21 {
22
23 "url": "https://wspmultiurl2.yourdomain.com:443"
24 }
25 ,
26 {
27
28 "url": "https://wspmultiurl3.yourdomain.com:443"
29 }
30
31 ]
32 }
33
34 }
35
36 }
37
38 ],
39 "nextToken": "None",
40 "count": 1
41 }

Configure Authentication

July 26, 2024

As an administrator, you can choose to have your subscribers authenticate to their workspaces using
one of the following authentication methods:

• Active Directory (AD)

• Active Directory plus token
• Azure Active Directory (AAD)
• Citrix Gateway
• Google
• Okta
• SAML 2.0

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 125

Citrix Workspace

Citrix Workspace also supports single sign‑on to your virtual apps and desktops. When the user enters
their Active Directory credentials, Workspace can use these to provide SSO to resources. When using
other IdPs, Workspace can use Citrix Federated Authentication Service (FAS) to provide single sign‑on
(SSO) to resources.

Choose or change authentication methods

1. Define one or more identity providers in Identity and Access Management. For instructions,
visit Identity and access management.

2. Choose or change how subscribers authenticate to their workspace in Workspace Configura‑

tion > Authentication > Workspace Authentication.

Important:

Switching authentication modes can take up to five minutes and causes an outage to your sub‑
scribers during that time. Citrix recommends limiting changes to periods of low usage. If you do
have subscribers logged on to Citrix Workspace using a browser or Citrix Workspace app, advise
them to close the browser or exit the app. After waiting approximately five minutes, they can
sign in again using the new authentication method.

Active Directory (AD)

By default, Citrix Cloud uses Active Directory (AD) to manage subscriber authentication to work‑
spaces.

To use AD, you must have at least two Citrix Cloud Connectors installed in the on‑premises AD domain.
For more information on installing the Cloud Connector, see Cloud Connector Installation.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 126

Citrix Workspace

Single Sign‑on to VDAs with AD

When using AD authentication, Workspace provides SSO capability when launching AD joined virtual
apps and desktops.

Active Directory (AD) plus token

For greater security, Citrix Workspace supports a time‑based token as a second factor of authentica‑
tion to AD sign‑in.
For each login, Workspace prompts subscribers to enter a token from an authentication app on their
enrolled device. Before signing in, subscribers must enroll their device with an authentication app
that follows the Time‑Based One‑Time Password (TOTP) standard, such as Citrix SSO. Currently, sub‑
scribers can enroll only one device at a time.
For more information, see Tech Insight: Authentication ‑ TOTP and Tech Insight: Authentication ‑
Push.

Single Sign‑on to VDAs with AD plus token

When using AD plus token authentication, Workspace provides SSO capability when launching AD
joined virtual apps and desktops.

Requirements for AD plus token

Active Directory plus token authentication has the following requirements:

• A connection between Active Directory and Citrix Cloud, with at least two Cloud Connectors
installed in your on‑premises environment. For requirements and instructions, see Connect
Active Directory to Citrix Cloud.
• Active Directory + Token authentication enabled in the Identity and Access Management
page. For information, see To enable Active Directory plus token authentication.
• Subscriber access to email to enroll devices.
• A device on which to download the authentication app.

First‑time enrollment

Subscribers enroll their devices using the enrollment process described in Register devices for two‑
factor authentication.
During first‑time sign‑in to Workspace, subscribers follow the prompts to download the Citrix SSO app.
The Citrix SSO app generates a unique one‑time password on an enrolled device every 30 seconds.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 127

Citrix Workspace

Important:

During the device enrollment process, subscribers receive an email with a temporary verification
code. This temporary code is used only to enroll the subscriber’s device. Using this temporary
code as a token for signing in to Citrix Workspace with two‑factor authentication isn’t supported.
Only verification codes that are generated from an authentication app on an enrolled device are
supported tokens for two‑factor authentication.

Re‑enroll a device

If a subscriber no longer has their enrolled device or needs to re‑enroll it (for example, after erasing
content from the device), Workspace provides the following options:

• Subscribers can re‑enroll their devices using the same enrollment process described in Register
devices for two‑factor authentication. Because subscribers can enroll only one device at a time,
enrolling a new device or re‑enrolling an existing device removes the previous device registra‑
tion.

• Administrators can search for subscribers by Active Directory name and reset their device. To
do that, go to Identity and Access Management > Recovery. During the next sign‑on to Work‑
space, the subscriber experiences the first‑time enrollment steps.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 128

Citrix Workspace

Azure Active Directory

Use of Azure Active Directory (AD) to manage subscriber authentication to workspaces has the follow‑
ing requirements:

• Microsoft Entra ID (formerly Microsoft Azure AD) with a user who has global administrator per‑
missions. For more information on the Microsoft Entra ID applications and permissions that
Citrix Cloud uses, see Azure Active Directory Permissions for Citrix Cloud.
• A Citrix Cloud Connector installed in the on‑premises AD domain. The machine must also be
joined to the domain that is syncing to Microsoft Entra ID.
• VDA version 7.15.2000 LTSR CU VDA or 7.18 current release VDA or higher.
• A connection between Microsoft Entra ID and Citrix Cloud. For information, see Connect Azure
Active Directory to Citrix Cloud.
• Any version of Citrix Workspace app. If using legacy Citrix Receiver then you must use the fol‑
lowing minimum versions:

– Citrix Receiver for Windows 4.11 CR or 4.9 LTSR CU2 or higher

– Citrix Receiver for Linux 13.8
– Citrix Receiver for Android 3.13 and later

When syncing your Active Directory to Microsoft Entra ID, the UPN and SID entries must be included
in the sync. If these entries aren’t synchronized, certain workflows in Citrix Workspace fail.

Warning:

• If you’re using Microsoft Entra ID, don’t make the registry change described in CTX225819.
Making this change might cause session launch failures for Microsoft Entra ID users.
• Adding a group as a member of another group (nesting) is supported with the
DSAuthAzureAdNestedGroups feature enabled. You can enable DSAuthAzureAdNestedGroups

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 129

Citrix Workspace

by submitting a request to Citrix Support.

After enabling Microsoft Entra ID authentication:

• Added security: For security, users are prompted to sign in again when launching an app or a
desktop. The password information flows directly from user’s device to the VDA that is hosting
the session.
• Sign‑in experience: Microsoft Entra ID authentication provides federated sign‑in, not single
sign‑on (SSO). Subscribers sign in from an Azure sign‑in page, and might have to authenticate
again when opening Citrix DaaS.

For SSO, enable the Citrix Federated Authentication Service in Citrix Cloud. See Enable single sign‑on
for workspaces with Citrix Federated Authentication Service for more information.

You can customize the sign‑in experience for Microsoft Entra ID. For information, see the Microsoft
documentation. Any sign‑in customizations (the logo) made in Workspace Configuration do not affect
the Microsoft Entra ID sign‑in experience.

The following diagram shows the sequence of Microsoft Entra ID authentication.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 130

Citrix Workspace

Sign‑out experience

Use Settings > Log Off to complete the sign‑out process from Workspace and Microsoft Entra ID. If
subscribers close the browser instead of using the Log Off option, they might remain signed in to
Microsoft Entra ID.
Important:

If Citrix Workspace times out in the browser due to inactivity, subscribers remain signed in to
Microsoft Entra ID. This prevents a Citrix Workspace timeout from forcing other Microsoft Entra
ID applications to close.

Single Sign‑on to VDAs with EntraId

When using EntraId authentication, to enable Single Sign on to VDAs you must use FAS.

Citrix Gateway

Citrix Workspace supports using an on‑premises Citrix Gateway as an identity provider to manage
subscriber authentication to workspaces. For more information, see Tech Insight: Authentication ‑
Citrix Gateway.

Requirements for Citrix Gateway

Citrix Gateway authentication has the following requirements:

• A connection between your Active Directory and Citrix Cloud. For requirements and instructions,
see Connect Active Directory to Citrix Cloud.
• Subscribers must be Active Directory users to sign in to their workspaces.
• If you’re performing federation, your AD users must be synchronized to the federation provider.
Citrix Cloud requires the AD attributes to allow users to sign in successfully.
• An on‑premises Citrix Gateway:

– Citrix Gateway 12.1 54.13 Advanced edition or later

– Citrix Gateway 13.0 41.20 Advanced edition or later

• Citrix Gateway authentication enabled in the Identity and Access Management page. This
generates the client ID, secret, and redirect URL required to create the connection between Citrix
Cloud and your on‑premises Gateway.
• On the Gateway, an OAuth IdP authentication policy is configured using the generated client ID,
secret, and redirect URL.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 131

Citrix Workspace

For more information, see Connect an on‑premises Citrix Gateway as an identity provider to Citrix
Cloud.

Subscriber experience of Citrix Gateway

When authentication with Citrix Gateway is enabled, subscribers experience the following work‑
flow:

1. The subscriber navigates to the Workspace URL in their browser or launches Workspace app.
2. The subscriber is redirected to the Citrix Gateway logon page and is authenticated using any
method configured on the Gateway. This method can be MFA, federation, conditional access
policies, and so on. You can customize the Gateway logon page so that it looks the same as the
Workspace sign‑in page using the steps described in CTX258331.
3. After successful authentication, the subscriber’s workspace appears.

Single sign‑on with Gateway

Depending on how you configure Citrix Gateway, you might not need FAS for SSO to DaaS. For more
information on configuring Citrix Gateway, visit Create an OAuth IdP policy on the on‑premises Citrix
Gateway.

Google

Citrix Workspace supports using Google as an identity provider to manage subscriber authentication
to workspaces.

Requirements for Google

• A connection between your on‑premises Active Directory and Google Cloud.

• A developer account with access to the Google Cloud Platform console. This account is required
for creating a service account and key, and enabling the Admin SDK API.
• An administrator account with access to the Google Workspace Admin console. This account is
required for configuring domain‑wide delegation and a read‑only API user account.
• A connection between your on‑premises Active Directory domain and Citrix Cloud, with Google
authentication enabled in the Identity and Access Management page. To create this connec‑
tion, at least two Cloud Connectors are required in your resource location.

For more information, see Connect Google as an identity provider to Citrix Cloud.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 132

Citrix Workspace

Subscriber experience with Google

When authentication with Google is enabled, subscribers experience the following workflow:

1. The subscriber navigates to the Workspace URL in their browser or launches the Workspace app.
2. The subscriber is redirected to the Google sign‑in page and is authenticated using the method
configured in Google Cloud (for example, multifactor authentication, conditional access poli‑
cies, and so on).
3. After successful authentication, the subscriber’s workspace appears.

Single Sign‑on to VDAs with Google

When using Google authentication, to enable Single Sign on to VDAs you must use FAS.

Okta

Citrix Workspace supports using Okta as an identity provider to manage subscriber authentication to
workspaces. For more information, see Tech Insight: Authentication ‑ Okta.

Requirements for Okta

Okta authentication has the following requirements:

• A connection between your on‑premises Active Directory and your Okta organization.
• An Okta OIDC web application configured for use with Citrix Cloud. To connect Citrix Cloud to
your Okta organization, you must supply the Client ID and Client Secret associated with this
application.
• A connection between your on‑premises Active Directory domain and Citrix Cloud, with Okta
authentication enabled in the Identity and Access Management page.

For more information, see Connect Okta as an identity provider to Citrix Cloud.

Subscriber experience with Okta

When authentication with Okta is enabled, subscribers experience the following workflow:

1. The subscriber navigates to the Workspace URL in their browser or launches the Workspace app.
2. The subscriber is redirected to the Okta sign‑in page and is authenticated using the method
configured in Okta (for example, multifactor authentication, conditional access policies, and so
on).
3. After successful authentication, the subscriber’s workspace appears.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 133

Citrix Workspace

Single Sign‑on to VDAs with Okta

When using Okta authentication, to enable Single Sign on to VDAs you must use FAS.

SAML 2.0

Citrix Workspace supports using SAML 2.0 to manage subscriber authentication to workspaces. You
can use the SAML provider of your choice, provided it supports SAML 2.0.

Requirements for SAML 2.0

SAML authentication has the following requirements:

• SAML provider that supports SAML 2.0.

• On‑premises Active Directory domain.
• Two Cloud Connectors deployed to a resource location and joined to your on‑premises AD do‑
main.
• AD integration with your SAML provider.

For more information about configuring SAML authentication for workspaces, see Connect SAML as
an identity provider to Citrix Cloud.

Subscriber experience with SAML 2.0

1. The subscriber navigates to the Workspace URL in their browser or launches Citrix Workspace
app.
2. The subscriber is redirected to the SAML identity provider sign‑in page for their organization.
The subscriber authenticates with the mechanism configured for the SAML identity provider,
such as multifactor authentication or conditional access policies.
3. After successful authentication, the subscriber’s workspace appears.

Single Sign‑on to VDAs with SAML 2.0

When using SAML authentication, to enable Single Sign on to VDAs you must use FAS.

Citrix Federated Authentication Service (FAS)

Citrix Workspace supports using Citrix Federated Authentication Service (FAS) for single sign‑on (SSO)
to Citrix DaaS. Without FAS, subscribers using a federated identity provider are prompted to enter their
credentials more than once to access their virtual apps and desktops.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 134

Citrix Workspace

For more information, see Citrix Federated Authentication Service (FAS).

More information

• Tech Brief: Workspace Single Sign‑On

• Tech Insights ‑ Citrix Workspace

Customize your workspace experience

October 14, 2024

To customize the workspace, from the menu open Workspace Configuration then the Customize
tab.

Appearance

To customize your workspace with your own logos and colors, go to the Appearance tab. For more
information, see Customize the appearance of workspaces.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 135

Citrix Workspace

Features

To customize which feature your users have access to, go to the Features tab. For more information,
see Enable and disable features.

Preferences

To modify other aspects of behavior, appearance, and configure access methods for the store, apps,
and desktops, go to the Preferences tab. For more information, see Customize security and privacy
policies, Customize workspace interactions, and Customize store access.

Customize the appearance of workspaces

May 23, 2024

Customize the Workspace user interface

This section describes how you can customize the appearance of workspaces by updating themes in
Configuration > Customize > Appearance.

Themes allow you to configure your workspace colors and logos. Logos must meet the required di‑
mensions to avoid appearing distorted or resulting in an error message.

Logo Required dimensions Max. size Supported formats

Sign‑in logo 480 x 120 pixels 2 MB JPEG, JPG, or PNG

Post sign‑in logo 340 x 80 pixels 2 MB JPEG, JPG, or PNG

Changes to the workspace appearance take effect immediately after you select Save.

Customize your default theme

The default theme includes the sign‑in logo, and the workspace logo and colors that subscribers see
after they sign in. You can change one, some, or all of these elements for the default theme.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 136

Citrix Workspace

Customize sign in appearance

For the sign‑in page, you can only replace the logo. The rest of the sign‑in page, including the colors,
isn’t affected.

Changes to the workspace appearance take effect right away. It can take around five minutes for the
updated user interface to appear in local Citrix Receiver apps.

Note:

Changes to the sign‑in logo don’t impact users who authenticate to their workspace using third‑
party identity providers, such as Microsoft Entra ID (formerly Microsoft Azure AD) and Okta.

For information on how to customize an Microsoft Entra ID (formerly Microsoft Azure AD) sign‑in
page, see the Microsoft documentation. For information on how to customize the sign‑in page
hosted by Okta, see the Okta Developer documentation.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 137

Citrix Workspace

You can also customize the on‑premises Citrix Gateway sign‑in page, configured in the Citrix ADC ap‑
pliance rather than in Workspace Configuration. For more information, see the Support Knowledge
Center article.

Customize the workspace appearance

The sign‑in logo doesn’t have to be the same as the logo that appears at the top left of the workspace
after a subscriber signs in. In addition to replacing the workspace logo, you can define the banner,
accent, and text and icon colors of the workspace.

Create multiple custom themes

Important:

The Multiple custom themes feature is available as a single‑tenant feature. If your customer is
a Citrix Service Provider tenant, it must have its own resource location, Cloud Connectors, and
dedicated Active Directory domain. Citrix Service Provider tenants that share a resource loca‑
tion, Cloud Connectors, and dedicated Active Directory domain (multitenancy) aren’t currently
supported.

You can configure and prioritize multiple Citrix Workspace themes for specific user groups. These
custom themes are listed in individual cards under the default theme. If you don’t set up multiple
themes, the existing (default) theme is applied to all users.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 138

Citrix Workspace

Configure custom themes

To add your first custom theme under your default theme, select Add theme at the bottom left of the
card under the Default appearance section.

If you already have at least one custom theme under the default theme, select Add theme at the top
right of the list of existing themes.

1. Configure your custom theme:

a) Upload your Logo (optional).

b) Define your banner, accent, and text and icon Colors (optional).

2. Select Theme Details and enter a meaningful name for the theme.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 139

Citrix Workspace

3. Assign user groups to the theme:

a) Select an identity provider, and its domain if prompted.

b) Search for the user group that you want to add to the custom theme.
c) Select the plus sign (+) button next to that group.
d) Repeat this process for each group that you want to add to your theme.

4. Select Preview to see how your workspace looks to subscribers. Save your theme changes
when you’re done.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 140

Citrix Workspace

Note:

Workspace Preview doesn’t show a preview if you’re currently working with the older
purple user interface.

5. Repeat steps 1 through 4 to continue adding new custom themes.

Prioritize custom themes

A user might belong to more than one user group, each of which might match to a different theme.
You can define which theme a subscriber sees if they match to more than one user group. It can be
achieved by setting the priority of custom themes relative to one another.

Important

For relative prioritization of custom themes to work, you must configure two or more custom
themes under the default theme.

1. Select Edit priority at the top right of the list of themes, next to Add theme.
2. You can reorder the priority of themes in one of two ways:

• Use the arrows on the right‑hand side of each theme.

• Drag individual themes up and down the list using the handle on the left‑hand side of the
card.

3. Once you’ve reordered your items, select Save order.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 141

Citrix Workspace

Customize workspace interactions

November 21, 2024

Customize how subscribers interact with their workspaces in Workspace Configuration > Customize
> Preferences.

If you want to customize workspace preferences that affect the sign‑in experience to align with your
company requirements, visit Customize workspace security and privacy policies.

If you want to customize the pre‑login and post‑login workspace appearance, visit Customize the ap‑
pearance of workspaces

Allow Caching

The Allow Caching setting enhances performance for subscribers accessing Citrix Workspace through
a web browser. Caching is supported when accessing Citrix Workspace with a supported web browser.
Caching isn’t available when using a locally installed Citrix Workspace app.

When caching is enabled, some sensitive data might be stored locally on subscribers’devices. This
data consists of file metadata and is encrypted with a key that’s unique to the subscriber’s authenti‑
cated identity. The encrypted data is stored in the web browser’s localStorage property on the
subscriber’s device.

If you disable caching, the encrypted data is purged the next time the subscriber signs in to Citrix
Workspace through their web browser. Also, the subscriber can purge this data manually by clearing
browsing data from their web browser.

Allow Favorites

Customers, who have access to Workspace Configuration and the new Workspace experience, can
allow users to add or remove their favorite apps and desktops on Citrix Workspace app. Users can
quickly access their favorite apps and desktop on the Home tab. The Allow Favorites feature is en‑
abled by default.

To configure the Allow Favorites feature, do the following instructions:

1. Navigate to Workspace Configuration > Customize > Preferences.

2. Click the toggle button to enable or disable the feature.
3. Select the declaration check box, and click Save.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 142

Citrix Workspace

Note:

For some existing customers (new to Workspace between December 2017 and April 2018), Allow
Favorites defaults to Disabled. You can decide when to enable this feature for your users.

User experience

When you enable the Allow Favorites feature, users can add up to 250 favorites by clicking the star
icon at the upper‑left corner of apps and desktops cards. The star icon turns to a golden color when
users mark it as their favorite. Clicking the star icon again removes it from the favorite list.

When a user adds more than 250 favorite resources, the oldest favorite resource is removed (or as
close as possible) to preserve the most recent favorite resources.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 143

Citrix Workspace

When you disable the Allow Favorites feature, the favorites resources get removed from the Home tab
of Citrix Workspace app. And, it’s not available for quick access. Users can still access those resources
from the Apps tab and Desktops tab.
Note:

• Allow Favorites feature is enabled by default.

• If your users don’t have access to the desktops configured, the Desktop tab doesn’t appear
on the navigation bar.

Apps and Desktops keywords

You can automatically add favorite apps or desktops for users by using KEYWORDS:Auto and
KEYWORDS:Mandatory settings in Citrix DaaS (Manage > Full Configuration > Applications).

• KEYWORDS:Auto ‑ The app or desktop is added as a favorite and users can remove it from the
favorite list as per their preference.

• KEYWORDS:Mandatory ‑ The app or desktop is added as a favorite, and users can’t reverse this
action. Mandatory apps and desktops display a star icon with a padlock to indicate that it can’
t be removed from the favorite list.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 144

Citrix Workspace

Note:

If you use both Mandatory and Auto keywords for an app, the Mandatory keyword overrides
the Auto keyword, and the apps or desktops that are added as favorites can’t be removed.

Home tab

You can enable or disable the Home tab for your users.

To configure the setting:

1. Sign in to your Citrix Cloud account and navigate to Workspace Configuration > Customize >
Preferences.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 145

Citrix Workspace

2. Under Home tab, set the toggle to Enabled or Disabled.

3. Select the declaration check box.
4. Click Save.
5. When the toggle is on, users are navigated to the Home page. If you disable the toggle, the users
land directly on the Apps page. By default, the toggle is on and the feature is enabled.

When enabled (the default), the Home tab is displayed. When disabled, there is no Home tab and
users land on the Apps tab.

This feature does not apply when Always display navigation tabs is disabled and users have more than
20 apps or desktops. In this case, the tabs are hidden.

Always display navigation tabs

By default, if the user has fewer than 20 resources, the UI displays a Simple View that doesn’t have
any tabs or categories. To disable the Simple View and enable the navigation tabs for a consistent
experience, even if there are fewer than 20 resources, do the following:

1. Sign in to your Citrix Cloud account and navigate to Workspace Configuration > Customize >
Preferences.
2. Go to the section Always display navigation tabs.
3. Click the toggle button to enable or disable the feature.
4. Select the declaration check box.
5. Click Save.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 146

Citrix Workspace

Automatically Launch Desktop

You can configure Workspace to automatically launch the user’s desktop. When enabled, if a user
has only one available desktop, the desktop automatically launches when the user signs in to their
workspace. When disabled (default), users must manually launch their desktop after signing in.

This feature only applies when using a web browser, not Citrix Workspace app.

To change the configuration:

1. Navigate to Workspace Configuration > Customize > Preferences.

2. Under Automatically Launch Desktop, set the toggle to Enabled or Disabled.
3. Press Save.

Launching apps and desktops

The Launching apps and desktops setting is available to customers who have access to Workspace
Configuration and the new Workspace experience. The preference is available to new and existing

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 147

Citrix Workspace

customers. However, the introduction of this feature doesn’t change any settings for existing cus‑
tomers.

The preference applies to the way users open apps and desktops delivered by Citrix DaaS only. This
can be the Citrix DaaS service or on‑premises from the Site aggregation feature. Launching apps
and desktops doesn’t apply, for example, to SaaS apps delivered by the Citrix Gateway service.

Choose one of the following settings:

• In a native app (default): End users are required to use a locally installed version of the Work‑
space app.
• In a browser: End users are required to use a browser version of the Workspace app for HTML5.
• Let end users choose: End users can choose between a locally installed version of the Work‑
space app or launch apps and desktops in a browser.

An additional option for In a native app and Let end users choose prompts users to install the latest
version of Citrix Workspace app if a local app isn’t detected automatically. Remove this selection if
your subscribers don’t have the rights to install software.

Manage installation prompt for Workspace Web Extension

Workspace can detect whether a user has installed Workspace Web Extension on their device or not.
If not, Workspace prompts the user to download and install the extension. The Workspace detection
step doesn’t get displayed if the user installs the extension.

To manage installation prompt for Workspace Web Extension, navigate to Workspace Configuration
> Customize > Preferences > Launching apps and desktops, and then choose one of the following
settings:

• Prompt end users to download the Workspace Web Extension but allow access to Work‑
space if it isn’t detected (default): End users are allowed to use Workspace even if they decide
to install the Workspace Web Extension later.
• Require end users to download the Workspace Web Extension and block access to Work‑
space until it is detected: End users aren’t allowed to use Workspace until they install the
Workspace Web Extension.
• Do not prompt end users to download the Workspace Web Extension: Workspace doesn’t
prompt end users to install the Workspace Web Extension.

Customize security and privacy policies

November 21, 2024

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 148

Citrix Workspace

This article provides guidance on how to customize the sign‑in experience after you’ve already con‑
figured workspace access and authentication.

For an overview on configuring workspace access and authentication, visit Configure access. For in‑
formation on how to configure subscriber authentication to workspaces, visit Configure Authentica‑
tion.

Workspace Session

Use the Workspace Session settings in Workspace Configuration > Customize > Preferences to
choose when users need to enter their credentials and for how long users remain logged in. Once you
have have updated the settings, press Save to apply them or Revert to cancel them.

Federated identity provider sessions

When enabled (default), Workspace forces a sign‑in prompt with the identity provider when a new
Workspace session is needed. For OIDC authentication, Workspace includes prompt=login in the
authentication request. For SAML authentication, Workspace sends ForceAuthn=true in the au‑
thentication request.

When disabled, users might not be prompted to authenticate with the identity provider if the identity
provider already has a valid session.

Inactivity timeout for web

Use the Inactivity Timeout for Web setting to specify the amount of idle time allowed (a maximum
of 8 hours) before web users are automatically signed out of Citrix Workspace. Only interactions with
Workspace, such as refreshing the page or launching an app, count as activity.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 149

Citrix Workspace

Unlike manual sign‑out, which disconnects DaaS sessions, users stay connected to their DaaS ses‑
sions even after timeout due to inactivity. The users are not signed out from their Identity Provider.
Therefore if Federated identity provider sessions is off, the user might be able to log back in without
entering their credentials.

Inactivity timeout for Workspace app on desktop

Use the Inactivity Timeout for Workspace App ‑ Desktop setting to specify the amount of idle time
allowed (a maximum of 24 hours) before web users are automatically signed out of Citrix Workspace
app for Windows, Mac and Linux. Any interaction with the mouse or keyboard counts as activity and
extends the timeout.

Unlike manual sign‑out, which disconnects DaaS sessions, subscribers stay connected to their DaaS
sessions even after timeout due to inactivity.

You can modify the setting using the PowerShell API. Use the Set-WorkspaceCustomConfiguration
cmdlet with parameter InactivityTimeoutInMinutes.

Inactivity timeout for Workspace app on mobile

Use the Inactivity Timeout for Workspace App ‑ Mobile setting to specify the amount of idle time
allowed (a maximum of 24 hours) before Citrix Workspace app is locked. This applies to Citrix Work‑

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 150

Citrix Workspace

space app for iOS and Android. Once locked, users must use biometrics or their device PIN to unlock
Citrix Workspace app.

You can modify the setting using the PowerShell API. Use the Set-WorkspaceCustomConfiguration
cmdlet with parameter InactivityTimeoutInMinutesMobile.

Set Authentication Period for Citrix Workspace app

Use the Authentication Period for Citrix Workspace app settings to specify the length of time users
can stay signed in to Citrix Workspace app before needing to sign in again. These settings do not apply
to web browsers.

The Reauthentication Period defines the maximum time before users must reauthenticate. By de‑
fault this is set to 30 days but you can configure a value between 1 and 365 days. If the period is greater
then 1 day then when the user authentications they must provide consent to stay signed in.

The Inactivity Period defines how long a user can be inactive before they must reauthenticate. By
default this is 4 days but you can configure it to a value between 1 day and the Reauthenticaiton Period.
If a user is inactive for more than this value, they are prompted to reauthenticate the next time that

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 151

Citrix Workspace

they attempt to access their workspace. To set an inactivity period of less than 24 hours on desktop,
use the Inactivity Timeout for Workspace App on Desktop setting.

You can invalidate the session for your subscribers by downloading this PowerShell script and follow‑
ing the instructions included in the download. Once you’ve invalidated sessions, subscribers must
reauthenticate to their workspaces in the next 24 hours.

Supported Workspace app clients The following versions of Citrix Workspace app support this fea‑
ture:

• Workspace app 2106 for Windows or later

• Workspace app 2106 for Mac or later
• Workspace app for 21.6.5 iOS or later
• Workspace app for 21.6.0 Android or later

Supported authentication methods Staying signed in to Citrix Workspace app is supported for the
following authentication methods:

• Active Directory
• Active Directory plus token
• Entra ID
• Citrix Gateway
• Okta

Note:

For the same experience as a Citrix DaaS customer using Okta or Azure Active Directory, configure
the Citrix Federated Authentication Service (FAS). For more information about FAS, see Enable
single sign‑on for workspaces with Citrix Federated Authentication Service.

Subscriber experience for staying signed in When subscribers sign in to Workspace on their de‑
vice, Workspace prompts them to consent to staying signed in.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 152

Citrix Workspace

When the subscriber selects the Allow option, they stay signed in during the reauthentication period.
If no activity is detected on a subscriber’s device for the configured number of days, the subscriber
is automatically prompted to reauthenticate. After they sign in to the Citrix Workspace app, the reau‑
thentication period remains in effect as long as they’re using their apps and desktops on the device.

If the subscriber selects Deny, the user might be prompted to sign in for a second time. Afterward,
Workspace prompts the subscriber to sign in again after 24 hours have passed.

If the subscriber’s password changes, the subscriber must sign out and sign in again through Citrix
Workspace app for the reauthentication period to continue to work.

Allow subscribers to change their account password

The Allow Account Password to be Changed setting in Workspace Configuration > Customize >
Preferences controls whether subscribers can change their domain password from within Citrix Work‑
space. You can also provide guidance to subscribers so that they can create valid passwords in line
with your organization’s password policy.

When enabled (default), subscribers can change their password at any time, based on your organiza‑
tion’s Active Directory settings. If disabled, Workspace prompts subscribers to change their password
when it expires, but they can’t change their unexpired password within Workspace.

Supported authentication methods

• Active Directory
• Active Directory plus token

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 153

Citrix Workspace

Supported Workspace app clients

The following versions of Citrix Workspace app support this feature:

• Workspace app for Windows 2101 or later

• Workspace app for Mac 2012 or later
• Workspace app for Chrome 2010 or later
• Workspace app for HTML5 2101 or later
• Workspace app for Android 21.1.0 or later

Subscribers can also use this feature when accessing workspaces from a web browsers.

This feature isn’t supported on the following:

• Older versions of Citrix Workspace app

• Citrix Workspace app for Linux

Password guidance

You can add up to 20 password requirements to meet your organization’s security policy and that
your identity provider enforces. Workspace displays these requirements as a guide when subscribers
change their password from their Account Settings page in Workspace. If you don’t add any pass‑
word requirements, Workspace displays the message “Your organization’s password requirements
still apply.”

Important:

Citrix Workspace doesn’t validate new passwords that your subscribers enter. If a subscriber
tries to change their valid password to an invalid one through Workspace, your identity provider
rejects the new password. The existing password isn’t changed.

To add password requirements:

1. Navigate to Workspace Configuration > Customize > Preferences.

2. Under Allow Account Password to be Changed, check that the setting is in the enabled state.
If disabled, enable the setting.

3. Select Add a password requirement.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 154

Citrix Workspace

4. Enter a requirement that matches your organization’s security requirements for valid pass‑
words. For example, you can specify that a password must be a certain character length. Select
Add a password requirement to add more items for subscribers when they change their
password.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 155

Citrix Workspace

5. When you’re finished adding requirements, select Save.

6. Select Save again to save all your setting changes.

Subscriber experience when changing passwords

Tip:

To increase awareness of this feature with your subscribers, consider including a recommenda‑
tion in your internal knowledgebase for subscribers to change their domain passwords through
Workspace. Download pdf file for instructions you can include in your own communications and
knowledgebase articles.

When Allow Account Password to be Changed is enabled, subscribers can change their password in
Workspace by going to Account Settings > Security & Sign in.

Select View Password Requirements to display all the requirements you entered in Workspace Con‑
figuration.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 156

Citrix Workspace

Subscribers are automatically signed out of Workspace after changing their password and must sign
in again with their new password.

Send custom announcements

Send a custom announcement to display a time‑limited message of your choosing, such as an upcom‑
ing maintenance window.

The custom announcement is displayed for all subscribers in all clients including web and mobile
devices. Subscribers see the message after they sign in. Subscribers can’t dismiss this announcement,
but they can minimize it on their mobile device.

1. From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences >
Send custom announcement > Configure.
2. Enter the title and text of the message that you want to display, and select the dates, times, and
placement (top or bottom) for displaying the message to subscribers.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 157

Citrix Workspace

3. To view how your message appears to subscribers, select Preview.

4. When you’re finished, select Save.

Configure a sign‑in policy

Create a custom sign‑in policy to inform subscribers of your organization’s End‑User License Agree‑
ment (EULA) when they sign in to their workspace.

When enabled and configured, the sign‑in policy is displayed in all clients including web and mobile
devices. Subscribers can see the sign‑in policy when they sign in. Subscribers can’t bypass the policy
and must accept it to sign in to their workspace.

1. From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences.

2. In the Sign in policy section, select Configure. If a policy exists, the button reads Edit, instead.

3. Enable the feature using the toggle under Enable policy.

4. In Policy header, enter a title for the policy.

5. Enter the policy text that subscribers must agree to before signing in. If needed, add localized
text for other languages in the same text box.

6. Enter a name for the button that subscribers must select to agree to the policy.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 158

Citrix Workspace

7. Select Preview to see what the policy looks like for subscribers.

8. When you’re finished, select Save.

Note

If you have Citrix Gateway configured as your Workspace identity provider, you might already
have a sign‑in policy as part of your AAA and nFactor authentication flow. Citrix recommends
that you configure only one sign‑in policy, either as part of your existing nFactor authentication
flow or outside the flow using the Citrix Cloud administration console.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 159

Citrix Workspace

Customize store access

October 16, 2024

Administrators can choose whether end users are required to authenticate and access their store
through either Citrix Workspace app or a third‑party web browser (HTML5) such as Chrome, Safari,
Firefox, and Edge.
If end users access apps and desktops through a third‑party browser, you can also decide where both
virtual web and SaaS apps and desktops open. Administrators can define whether apps and desktops
always open in a browser (HTML5) or the native app. In this case, if you prefer users to use the native
app, make sure they have Citrix Workspace web extension installed.

Mandate end users to authenticate and access apps and desktops through native app

Note:

This feature is disabled by default. To enable this feature, the administrators have to configure
this feature through Citrix Cloud. For more information, see Configuration.

Enforcing native Citrix Workspace app on user devices implies restricting end users to sign in and
use only the locally installed Citrix Workspace app. By doing so, end users can’t access Citrix Work‑
space web client in browsers, except through Citrix Enterprise Browser. This feature is designed for
customers who want to use the full benefits of the native app.
The native Citrix Workspace app offers the following advantages:

• Enhanced security as it doesn’t require downloading the .ica file.

• Enhanced reliability for opening apps and desktops, as it doesn’t rely on client detection.
• In‑built App Protection service provides an additional layer of security to protect against key‑
logging and screen‑capturing malware.
• No dependency on the Citrix Workspace web extension.
• No browser compatibility checks. As the native app has no dependency on browsers, there’s
need for browser compatibility checks, unlike the Workspace web client.
• Better telemetry because the native app offers extensive information for monitoring purposes.
• Enhanced HDX capabilities with enhanced features such as optimized codec compression and
efficient audio‑video compression. These improvements provide high quality and performance
for tasks involving high‑definition content or graphics‑intensive apps.

Supported platforms

All platforms are supported such as Windows, Mac, Linux, ChromeOS, Android, and iOS.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 160

Citrix Workspace

Note:

Automatic store addition is not supported on Linux and ChromeOS platforms and has version
requirement on Windows and Mac platforms. In such cases, users need to manually add the
store url in the native app. For more information, see Manual store addition.

Configuration

Administrators can use their Citrix Cloud account to mandate the use of native Citrix Workspace app
on user devices. To manage this feature, follow these steps:

1. Navigate to Workspace Configuration > Customize > Preferences in Citrix Cloud.

2. Under Store access, select Require end users to access their store from the Citrix client app.

[Optional] Select Prompt end users to download Citrix Workspace app to prompt the users
to download Citrix Workspace app if they don’t have the app installed on their device. For more
information, see Configure native app download link for end users.

3. Click Save to save the changes, or click Revert to discard the changes.

End user experience

Stage 1. Native app mandate Once administrators enforce the native app as mandatory, end users
can’t use the Citrix Workspace web client in browsers. When users try to access web client by entering
a store URL in a browser, they see the following webpage that prompts to open the native app.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 161

Citrix Workspace

1. Click Open Citrix Workspace.

The client detection process starts, checking whether Citrix Workspace app is installed locally
on the user device.

The Open Citrix Workspace Launcher prompt appears asking users to open the native app.

2. Click Open Citrix Workspace app.

If a user doesn’t see the prompt or doesn’t click Open Citrix Workspace app on the prompt within 5
seconds, the webpage provides the following extra options to continue:

• The store URL to copy and add manually in the native Citrix Workspace app.
• A download link to install Citrix Workspace app. The behavior of this link depends on how ad‑
ministrators have configured it. For more information, see Configuration.
• The link to the end‑user guide, which provides step‑by‑step instructions for installing and open‑
ing Citrix Workspace app.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 162

Citrix Workspace

Note:

If a user is using the Safari browser on an iPad, the browser can’t differentiate it from a Mac
desktop. Therefore, the user has to click the I am on iPad link to proceed with automatic store
addition.

Automatic store addition is not supported on Linux and ChromeOS. As a result, the Open Citrix
Workspace Launcher prompt doesn’t appear on these devices. In such cases, users need to
manually add the store url in the native app. For more information, see Manual store addition.

Stage 2: Store Addition

Automatic store addition Compatible versions of Citrix Workspace app

The following are the compatible Citrix Workspace app versions that support automatic store addi‑
tion:

Operating system Compatible version

Windows 24.9.0 or later

Mac 24.5.0 or later
Android and iOS 24.9.0 or later

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 163

Citrix Workspace

Note:

Citrix Workspace app for Windows version 24.5.0 supports automatic store addition in preview
mode and it is disabled by default. To enable it:

1. Launch the registry editor.

2. Navigate to the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
Citrix\Dazzle registry path.
3. Create a registry value with the following attributes:
• Registry key name: GoNativeForCloudEnabled
• Type: String Value
• Value: True
4. Restart the Citrix Workspace app for the changes to take effect.

Once users click Open Citrix Workspace app, the following dialog box appears to request the user’s
confirmation to add the store URL to the native app.

Click Add store.

Once clicked, the native app automatically captures the store URL entered in the browser and displays
the authentication page for the user to sign in. After the successful authentication, the user can see
the home page of the native Citrix Workspace app.

Manual store addition Users can manually add a store to Citrix Workspace app if the native app
doesn’t automatically capture the store URL when they click the Add store option.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 164

Citrix Workspace

1. Copy the store URL from the native mandate webpage, and paste it into the Welcome to Citrix
Workspace page.

2. Click Continue.

After submitting a valid store URL, Citrix Workspace app displays the authentication page for the user
to sign in. After the successful authentication, the user can see the home page of the native Citrix
Workspace app.

Launch virtual apps and desktops

If administrators don’t prefer to mandate the use of native apps for authentication and accessing apps
and desktops, you can allow end users to authenticate and access their store through a third‑party

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 165

Citrix Workspace

web browser and open apps and desktops using either a web browser (HTML5) or the native app.

The preference applies to the way users open apps and desktops delivered by Citrix DaaS only. This
can be the Citrix DaaS service or on‑premises from the Site aggregation feature.

To manage this feature, follow these steps:

1. Navigate to Workspace Configuration > Customize > Preferences in Citrix Cloud.

2. Under Store access, select Allow end users to access their store from the Citrix client app
or a web browser and choose the appropriate setting:

• Open in the Citrix client app: For more information, see Authenticate in browser and
access apps and desktops in native app.
• Open in a web browser: For more information, see Authenticate and access apps and
desktops in browser (HTML5).
• Let the user choose: For more information, see End users can choose either the native
app or browser.

Authenticate in browser and access apps and desktops in native app

Administrators can allow end users to authenticate and access their store from a web browser, and
open apps and desktops using the native app only. To manage this feature, follow these steps:

1. Navigate to Store access.

2. Under Launch virtual apps and desktops, click Open in the Citrix client app.

[Optional] Select Prompt end users to download Citrix Workspace app to prompt the users
to download Citrix Workspace app if they don’t have the app installed on their device. For more
information, see Configure native app download link for end users.

3. Click Save to save the changes.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 166

Citrix Workspace

Authenticate and access apps and desktops in a browser (HTML5)

Administrators can allow end users to authenticate and access their store from a web browser, and
open apps and desktops using a web browser (HTML5).

1. Navigate to Store access.

2. Under Launch virtual apps and desktops, click Open in a web browser.

[Optional] Select Prompt end users to download Citrix Workspace app to prompt the users
to download Citrix Workspace app if they don’t have the app installed on their device. For more
information, see Configure native app download link for end users.

3. Click Save to save the changes.

Resources delivered by Citrix Virtual Apps and Desktops are aggregated in a store and made available
through a Citrix Workspace app for the website. With Citrix Workspace app for HTML5 enabled on the
website, users can access apps and desktops within their web browsers. For more information, see
the Citrix Workspace app for ChromeOS product documentation.

Note:

The Citrix web extension setting isn’t applicable for the Open in the Citrix client app option.

End users can choose either the native app or browser

Administrators can allow users to authenticate and access store from a web browser (HTML5), and
open the apps and desktop using either a browser or native app.

1. Navigate to Store access.

2. Under Launch virtual apps and desktops, click Let the user choose.
[Optional] Select Prompt end users to download Citrix Workspace app to prompt the users
to download Citrix Workspace app if they don’t have the app installed on their device. For more
information, see Configure native app download link for end users.
3. Click Save to save the changes.

Manage installation prompt for Citrix Workspace web extension

Workspace can detect whether a user has installed Workspace Web Extension on their device or not.
If not, Workspace prompts the user to download and install the extension. The Workspace detection
step doesn’t get displayed if the user installs the extension.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 167

Citrix Workspace

To manage installation prompt for Workspace Web Extension, navigate to Workspace Configuration
> Customize > Preferences > Launching apps and desktops, and then choose one of the following
settings:

• Prompt end users to download the Workspace Web Extension but allow access to Work‑
space if it isn’t detected (default): End users are allowed to use Workspace even if they decide
to install the Workspace Web Extension later.
• Require end users to download the Workspace Web Extension and block access to Work‑
space until it is detected: End users aren’t allowed to use Workspace until they install the
Workspace Web Extension.
• Do not prompt end users to download the Workspace Web Extension: Workspace doesn’t
prompt end users to install the Workspace Web Extension.

Configure native app download link for end users

Administrators can prompt end users to download Citrix Workspace app if they don’t have the app
installed on their device.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 168

Citrix Workspace

Select either of the following option:

• The latest Windows or Mac version: Prompts users to download the latest version of Citrix
Workspace app on their devices. When users click the download link, they’re redirected to the
respective download page.

Note:

For devices running Linux, when users click the download link, it opens the Citrix Download page
where the users can manually download the executable file. For ChromeOS, Android and iOS
devices, the download link redirects users to the Chrome Web Store, Play Store, and App Store
respectively.

• A specific download version: In the Download URL text field, provide the URL of the Citrix
Workspace app version you want users to download.

Note:

Administrators need to provide the download URL for the specific version of Citrix Workspace
app based on the operating system of the user device. If there are users who have both Windows
and Mac devices, administrators can give a common link that directs to Citrix Workspace app
download page instead of giving a URL for just one operating system.

Integrate services into workspaces

February 22, 2024

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 169

Citrix Workspace

This article outlines the steps involved in adding services to Citrix Workspace, which is a two‑step
process:

1. Configure individual services in Citrix Cloud. You can find a list of Citrix Cloud services that link
to instructions for each one in Citrix Cloud Services.
2. Enable (and disable) access to your configured services in Workspace Configuration > Service
Integrations.

Configure services

Your purchased services are displayed in a card layout in the Citrix Cloud dashboard. Services that
you’ve purchased include a Manage button.

To configure purchased services:

1. Sign in to Citrix Cloud.

2. Select Manage in the tile of the service that you want to configure.
3. Follow the instructions for setting up that service.

For a brief description of cloud‑hosted services, visit Cloud‑hosted services through Citrix Work‑
space.

If you’d like to try a new service, you can request a trial or demo. For more information on service
trials, visit Citrix Cloud Service Trials.

Enable services

Once you’ve configured your services, you can integrate them into Citrix Workspace.

Subscribing to DaaS and the Remote Browser Isolation service enables them by default. All other
new services that your organization subscribes to are disabled by default.

Note:

Both the Citrix Apps Essentials service and the Citrix DaaS display as “Citrix DaaS”in the Ser‑
vice Integrations tab of Workspace Configuration.

To enable workspace integration for a service:

1. Navigate to Workspace Configuration > Service Integrations.

2. Select the ellipses button next to the service and then select Enable.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 170

Citrix Workspace

Disable services

Disabling workspace integration blocks subscriber access for that service. This doesn’t disable the
Workspace URL, but subscribers can’t access data and applications from that service in Citrix Work‑
space.

To disable workspace integration for a service:

1. Navigate to Workspace Configuration > Service Integrations.

2. Select the ellipses button next to the service and then select Disable.
3. When prompted, select Confirm to acknowledge that subscribers won’t have access to data or
applications from the service.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 171

Citrix Workspace

Optimize DaaS in Citrix Workspace

May 23, 2024

You can improve the efficiency and availability of your DaaS apps and desktops with the following
options:

• Make your existing, on‑premises virtual apps and desktops deployment available to Workspace
subscribers with site aggregation.

• Optimize connectivity with Direct Workload Connection, which involves configuring network
locations in Citrix Cloud.

• Ensure service continuity during an outage for offline resilience.

• Configure single sign‑on (SSO) to DaaS with Citrix Federated Authentication Service (FAS).

Site aggregation

Site aggregation allows you to add your on‑premises virtual apps and desktops deployment to your
Workspace so that subscribers can access these resources alongside cloud‑managed resources.

For more information on site aggregation, see Aggregate on‑premises virtual apps and desktops in
workspaces.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 172

Citrix Workspace

For more information on scalability limits, see Workspace platform scalability limits.

Direct Workload Connection

Direct Workload Connection uses network locations to switch between internal and external routes
to the virtual machines that host your virtual apps and desktops.

With Direct Workload Connection, you allow clients inside your corporate network to switch to direct
launches of Citrix DaaS. Direct launches don’t require the HDX connections between clients and VDAs
to be proxied through a gateway. Direct Workload Connection requires at least one internal network
location.

For more information, visit Optimize connectivity with Direct Workload Connection.

Service continuity

Service continuity ensures that subscribers maintain access to critical apps and desktops through
Citrix Workspace app if there’s a Citrix Cloud outage.

Service continuity stores connection leases on client disks that have Citrix Workspace app installed.
Connection leases are refreshed periodically when clients access the Workspace store. Clients can
then launch Citrix DaaS that they could access before the outage. For more information, visit Service
continuity.

Citrix Federated Authentication Service (FAS)

Citrix Workspace supports using Citrix Federated Authentication Service (FAS) for single sign‑on (SSO)
to Citrix DaaS. FAS allows subscribers using a federated identity provider, such Microsoft Entra ID (for‑
merly Microsoft Azure AD) or Okta, to enter their credentials only once when they sign in to their work‑
spaces. Without FAS, subscribers using a federated identity provider are prompted to enter their cre‑
dentials more than once to access their virtual apps and desktops.

Using FAS with Workspace has the following requirements:

• A FAS server configured as described in the Requirements section of the FAS product documen‑
tation.

• A connection between your FAS server and Citrix Cloud, created through the Connect to Citrix
Cloud option in the FAS installer.

• A connection between your on‑premises Active Directory domain and Citrix Cloud, with FAS
enabled in Workspace Configuration.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 173

Citrix Workspace

For information about implementing FAS, see Enable single sign‑on for workspaces with Citrix Feder‑
ated Authentication Service.

Aggregate Virtual Apps and Desktops in workspaces

August 28, 2024

You can add your site (Virtual Apps and Desktops deployment) to Citrix Workspace to make your exist‑
ing apps and desktops available to subscribers. After adding your site, subscribers can access all their
virtual apps and desktops alongside Files and other resources, when they sign in to their workspace.
This process is known as site aggregation.

Site aggregation is available in all Citrix Workspace editions. For more information about the features
included in each Workspace edition, see the Citrix Workspace Feature Matrix.

Note:

For information on aggregating DaaS sites, refer to Centralized site management (Technical Pre‑
view).

Aggregate on‑premises Virtual Apps and Desktops

The following sections provide detailed information on aggregating on‑premises Virtual Apps and
Desktops.

Supported environments

For minimum supported versions of Citrix Virtual Apps and Desktops, see System requirements.

Connecting to Citrix Cloud is required for using FAS with Citrix Workspace. Update your FAS servers to
the latest version of the FAS software so that you can connect to Citrix Cloud. For more information,
see Enable single sign‑on for workspaces with Citrix Federated Authentication Service.

Workspace platform scalability limits

The following scalability limits apply to Workspace platform:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 174

Citrix Workspace

Limit type SLI metric SLO threshold limit

Usage limits Concurrent end users for all 500

aggregated on‑prem Citrix
virtual apps and desktops sites
Extra backend/frontend Number of on‑prem Citrix 4
integration limits virtual apps and desktops sites

Note:

If the number of backend/frontend integration sites increases beyond four, sites can experience
slow response times. Service continuity or LHC support is also not present for on‑prem sites.

Task overview

When you add your on‑premises site to Citrix Workspace, the Add Site wizard guides you through the
following tasks:

1. Discover your site and select the resource location you want to use.
2. Detect the Active Directory domains in which your Cloud Connectors are installed.
3. Specify the connectivity that you want to use between Citrix Cloud and your site.

The resource location specifies the domain and connectivity method for all users who access your
site. During this process, Citrix Cloud tests connectivity to verify that your site is reachable from Cloud
Connectors. Citrix Cloud then displays a list of your resource locations. If you have resource locations
with no Cloud Connectors installed, download and install the required software.

For external connectivity, you can use your own Citrix Gateway or use the Citrix Gateway service. To
only allow users on the same network as your site to access applications, specify internal‑only ac‑
cess.

Prerequisites

Cloud Connectors

Cloud Connectors allow Citrix Cloud to locate and communicate with your site. For minimal interrup‑
tion, Citrix recommends installing Cloud Connectors before adding your site to Citrix Workspace.

For high availability, Citrix recommends at least two (2) servers on which to install Citrix Cloud Con‑
nector software. These servers must:

• Meet the system requirements described in Cloud Connector Technical Details.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 175

Citrix Workspace

• Have no other Citrix components installed.

• Not be an Active Directory domain controller.
• Not be a machine that is critical to your resource location infrastructure.
• Be joined to your site domain. If users access your site’s applications in multiple domains, install
at least two Cloud Connectors in each domain.
• Connect to a network that can contact your site.
• Connect to the Internet. For more information, see System and Connectivity Requirements.

For more information about installing Cloud Connectors, see Cloud Connector Installation.

Web proxy configuration

If you have a web proxy in your environment, check that the Cloud Connectors can validate connec‑
tivity to the XML Service in your site. Add each XML server within the site to the bypass proxy list on
each Cloud Connector. Don’t use wildcards or IP addresses because the Cloud Connector supports
handling FQDNs only.

1. Add the XML servers to the bypass proxy list:

a) On the Cloud Connector, select Start and then type Internet Options.
b) Select the Connections tab and then select LAN Settings.
c) Under Proxy server, select Advanced.
d) Under Exceptions, add the FQDN of each XML server in your site using lowercase letters.
If these entries use mixed‑case or uppercase letters, site aggregation might fail. For more
information, see CTX272160 in the Citrix Support Knowledge Center.

2. Import the list so that the Cloud Connector services can consume them. At the command
prompt, type netsh winhttp import proxy source=ie.
3. From the Services console, restart all Citrix Cloud services on each machine hosting the Cloud
Connector or restart each machine.

Active Directory

Site aggregation supports sites that use an on‑premises Active Directory.

Azure Active Directory configuration To add sites using Azure Active Directory to Citrix Workspace,
configure your site to trust XML Service requests. For detailed instructions, refer to the following arti‑
cles:

For XenApp and XenDesktop 7.x and Virtual Apps and Desktops 7 1808, see CTX236929.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 176

Citrix Workspace

Important:

If you use Azure Active Directory, Okta, SAML, or other federated identity provider with work‑
spaces and site aggregation, users are prompted to authenticate to each application they launch.

FAS provides a single sign‑on (SSO) experience for launching resources using federated authen‑
tication. To enable SSO for subscribers, register one or more FAS servers with the same resource
location that you configured for adding your site.

Active Directory trusts If you have separate user and resource forests in Active Directory, you must
have Cloud Connectors installed in each forest before you add your on‑premises site. Citrix Cloud
detects these forests during the site discovery process through the Cloud Connectors. You can then
use the forests’users and resources to create workspaces for your users.

Limitations:

When adding your site, you can’t use separate user and resource forests when you define the resource
location. Because Cloud Connectors don’t participate in any cross‑forest trusts that might be estab‑
lished, Citrix Cloud can’t discover your site through the Cloud Connectors in these forests. You can
use these forests when you define a secondary resource location that provides a different connectiv‑
ity option for your users. For more information, see Add IP ranges for different connectivity options.

Untrusted forests aren’t supported for site aggregation. Although Citrix Cloud and Citrix Workspace
support users from untrusted forests, these users can’t use Citrix Workspace after an on‑premises site
is added through site aggregation. Only users located in the forests that the site trusts can sign in and
use Citrix Workspace. If users from an untrusted forest try to sign in to Citrix Workspace, they receive
the error message, “Your logon has expired. Please log on again to continue.”

Internal and external connectivity to workspace resources

During the process of adding your site to Citrix Workspace, you can specify if you want to provide
internal or external access to the resources available to users. If you intend to allow only internal
users to access your site through Citrix Workspace, users must be on the same network as the site to
access applications.

If you intend to allow external users to access these resources, you have the following options:

• Use your existing Citrix Gateway to handle the traffic between your on‑premises site and Citrix
Cloud. Your Citrix Gateway must be configured to use Cloud Connectors as the Secure Ticket
Authority (STA) servers before you add your Site to Citrix Workspace. For instructions, see
CTX232640.
• Use the Citrix Gateway service to allow Citrix to handle the traffic between your site and Citrix
Cloud for you. You can activate a service trial and configure the service when you add your site.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 177

Citrix Workspace

If you’ve already signed up for the Citrix Gateway service, Citrix Cloud detects your subscription
when you select this option.

Note:

For Citrix Cloud to detect your Citrix Gateway service subscription, you must use the same OrgID
you used when you signed up for the Citrix Gateway service. For more information about OrgIDs
in Citrix Cloud, see What is an OrgID?

Credentials and ports for site discovery

During the process of adding your site to Citrix Workspace, Citrix Cloud discovers your site and checks
that the Controller you specify is available. Before you add your on‑premises site, check the follow‑
ing:

• You have Citrix administrator credentials with a minimum of Read Only permissions. During
the site discovery process, Citrix Cloud prompts you to supply these credentials. Citrix Cloud
doesn’t store these credentials or use them to change to your site.

To enable site discovery without site credentials XenApp and XenDesktop 7.x and Virtual Apps
and Desktops 7 1808 only: If you don’t want to provide site credentials for security reasons, you can
allow Citrix Cloud to discover your site without prompting for site credentials. Complete this task
before you add your site to Citrix Workspace.

1. Install at least two Cloud Connectors in your site’s domain.

2. Create an Active Directory security group and add the Cloud Connectors in your domain to it.
3. Restart the Cloud Connectors.
4. In Studio, grant the security group Read Only permissions, at a minimum.

Task 1: Discover site

In this step, you provide the information that Citrix Cloud needs to locate your site and select your
resource location. The resource location specifies the domain and connectivity option for all users
who access your site. If you need to install Cloud Connectors in your site’s domain, you can do so now.
If you already have Cloud Connectors installed, you can select them when prompted.

1. From the Citrix Cloud menu, navigate to Workspace Configuration > Sites > Add Site.

2. Select the type of on‑premises site you want to add and continue.

Citrix Cloud attempts to discover any resource locations and Cloud Connectors in your domain
and displays a list for you to select from.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 178

Citrix Workspace

3. Perform one of the following actions:

• If you have no Cloud Connectors installed in your site’s domain, select Install Connector.
Citrix Cloud prompts you to download the Cloud Connector software and complete the
installation wizard.
• If you have Cloud Connectors installed, Citrix Cloud displays the connectors in the domains
in which they were detected. Select the resource location that you want to add to Citrix
Workspace. This resource location becomes the default resource location.
• If you have Cloud Connectors installed, but they aren’t displayed, select Detect.

4. Select the resource location and Cloud Connector pair that you want to use to discover your
site.

5. In Enter Server Address, add the IP address or FQDN of a Controller in the site, and select Dis‑
cover
Note:

If using an FQDN, you must have a DNS record that points to the Delivery Controller that
you want to discover.

For XenApp and XenDesktop 7.x sites, Citrix Cloud automatically discovers the XML server
port.

6. If prompted, enter the Citrix Administrator credentials for the site.

Citrix Cloud tests connectivity to verify that your site is reachable. Discovery might take a few
minutes to complete, depending on the type and size of the site.

7. If a success message appears indicating that the site has been successfully discovered, select
Continue.

Task 2: Verify Active Directory Connection

In Verify Active Directory Connection, Citrix Cloud displays the domains used with your site and
whether there are Cloud Connectors installed in those domains.

If there are no Cloud Connectors in a domain, users in that domain can’t use Citrix Workspace to access
the applications published there. If you only have one Cloud Connector in your domain, you have two
options:

• Install more Cloud Connectors by selecting Install Connector.

• Continue without installing more Cloud Connectors by selecting I understand that high avail‑
ability requires having two connectors installed in each domain.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 179

Citrix Workspace

If you have local users assigned to applications in your site, select Download user list (.csv).

After verifying your Active Directory connection, select Continue.

Task 3: Configure connectivity

In this step, you specify whether you want to allow external or internal‑only user access to your site
through Citrix Workspace. Internal connectivity requires your users to be on the same network as your
site and VDAs that host your published resources. For external connectivity, you can use your existing
on‑premises Citrix Gateway or you can use the cloud‑hosted Citrix Gateway service.

Select one of the following options in Select connectivity type > Configure Connectivity:

• Add Existing Gateway: Select this option to use your existing Citrix Gateway to provide external
access.
• Citrix Gateway service: Select this option to activate a service trial or to use your existing sub‑
scription with your site.
• Internal Only: Select this option if no other configuration is needed.

If Add Existing Gateway is selected, perform the following actions:

1. Select Edit and enter the public URL of the Citrix Gateway.
2. Verify that Citrix Gateway is configured to use your Cloud Connectors as the STA servers, de‑
scribed in CTX232640.
3. Select Test STA and then, when the test is successful, Continue. If the test isn’t successful, refer
to CTX232517 for troubleshooting.

If Citrix Gateway service is selected, but the service isn’t enabled for your Citrix Cloud account as a
service trial or as a purchase, you can select Start a 60‑day trial. Citrix Cloud enables the service as a
trial for you. If the service was enabled at an earlier time, Citrix Cloud detects the service and displays
any remaining trial days.

After completing the preceding tasks, select Continue.

Task 4: Confirm site aggregation

In this step, you confirm site aggregation, which involves reviewing the XML port, XML servers, Active
Directory domains, and the connectivity type you chose earlier.

Citrix Cloud displays up to five XML servers it can connect to. If you have more than one XML server
in your site but only one is shown, Citrix Cloud displays an alert. To troubleshoot this issue, refer to
CTX232516.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 180

Citrix Workspace

1. In Confirm Site Aggregation, review the XML port, XML servers, Active Directory domains, and
the connectivity type you chose earlier.
2. Select Save and Finish. The Sites page displays your newly added site.

If you want to specify different XML servers, you can then edit your site to change these values after
you select Save and Finish.

Task 5: Manage service integrations

After adding your first site, you must enable the Service Integration for Virtual Apps and Desktops
on‑premises sites, which is disabled by default. Subscribers can’t see resources from the site until
you enable it.

1. Navigate to Workspace Configuration > Service Intergrations > Virtual Apps and Desktops
On‑Premises Sites and select the ellipsis to open the site actions menu.
2. Enable the service integration so that subscribers can sign in to their workspaces and see re‑
sources from the site.

Change your site configuration

Rediscover your site

If you add Delivery Controllers to your site or change XML ports, you can verify that your site is still
reachable in Citrix Workspace with a rediscovery process.

1. Navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to update,
and then select Edit Site.
2. In Server Address, type the IP address or FQDN of a Delivery Controller in your site and select
Rediscover.

Add or modify XML servers

When you add a site to Citrix Workspace, Citrix Cloud automatically detects XML servers in your site
and displays up to five XML servers in your configuration. You can add and remove XML servers as
needed from your site configuration up to the display limit of five XML servers.

To add an XML server

1. Navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to update
and select Edit Site.
2. In the XML Servers section, enter the XML server port and select Use SSL if needed.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 181

Citrix Workspace

3. Select a connectivity method:

• Load balanced: This option allows Citrix Cloud to pick a random XML server from the list.
• Failover: This option allows Citrix Cloud to use the listed XML servers in the order that
they appear in the list. Only the first XML service in the list is used for launch unless it
becomes unavailable, then the second server is used. You can reorder the list by dragging
and dropping each server.

4. Select Save Changes.

If you experience an error when adding an XML server, refer to CTX232516 for troubleshooting steps.

Add IP ranges for different connectivity options

If you have VDAs or session hosts in different subnets, you can specify IP ranges with a different con‑
nectivity type for each one. Each IP range can also have a different resource location associated with
it. For example, you might have one IP range for machines in the EU where users connect internally,
one IP range for machines in the EU where users connect through your Citrix Gateway, and one IP
range for machines in the US where users connect through the Citrix Gateway service.

1. Navigate to Workspace Configuration > Sites, select the ellipsis button for the site you want
to update, and select Edit Site.
2. In the Connectivity section, select Add an IP range with a different connectivity option and
enter an IP range in CIDR format.

To create a resource location for your IP range:

1. Select Add a new Resource Location and enter a user‑friendly name.

2. In Select your connectivity, select whether you want to provide internal‑only access or allow
external access using your Citrix Gateway or the Citrix Gateway service.

To assign an existing resource location to the IP range:

1. Choose Select an existing resource location

2. Select the resource location you want to use.
3. If you choose a resource location with only one Cloud Connector installed, select I understand
that high availability requires having two connectors are installed in a resource location.
4. Select Add.

Add more Active Directory domains

If you install Cloud Connectors in more domains with Active Directory users in your site, you can check
they’re added to your site configuration in Citrix Workspace.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 182

Citrix Workspace

1. Navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to update,
and then select Edit Site.
2. Under Active Directory, select Refresh.

Disable Sites

If you no longer want to make your on‑premises site available to users in Citrix Workspace, you can
disable it. You can disable an individual on‑premises site or all on‑premises sites you’ve added to
Citrix Workspace.

When sites are disabled, users can’t access the on‑premises applications in those sites through Citrix
Workspace. However, the configuration for those sites is preserved. If you re‑enable a site later on,
the site’s default resource location, domain, XML server, and connectivity settings are kept.

To disable an on‑premises site

1. Navigate to Workspace Configuration > Sites, select the ellipsis for the site you want to disable
and then select Disable.
2. A confirmation message appears. Select Disable again.

To disable all on‑premises sites

To disable all sites on the Sites page, disable the workspace service integration for all Virtual Apps and
Desktops on‑premises sites. For instructions, see To disable workspace integration for a service.

To re‑enable an individual on‑premises site or to add another site later on, you must first re‑enable
the workspace service integration for all sites on the Service Integrations page.

Delete a site from Citrix Workspace

If you no longer want your on‑premises site configuration in Citrix Workspace, you can delete the site.
When you delete a site, only the configuration for the site in Citrix Workspace is removed. Citrix Cloud
doesn’t change your site.

To delete a site, navigate to Workspace Configuration > Sites, select the ellipsis for the site you want
to remove, and then select Delete.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 183

Citrix Workspace

Optimize connectivity to workspaces with Direct Workload Connection

November 15, 2023

With Direct Workload Connection in Citrix Cloud, you can optimize internal traffic to the apps and
desktops in workspaces to make HDX sessions faster. Ordinarily, users on both internal and external
networks connect to VDAs through an external gateway. This gateway might be on‑premises in your
organization or provided as a service from Citrix and added to the resource location within Citrix Cloud.
Direct Workload Connection allows internal users to bypass the gateway and connect to the VDAs
directly, reducing latency for internal network traffic.

To set up Direct Workload Connection, you need network locations that correspond to where clients
launch apps and desktops in your environment. Add a public address for each office location where
these clients reside using the Network Location Service (NLS). You have two options for configuring
network locations:

• Using the Network Locations menu option in Citrix Cloud.

• Using a PowerShell module that Citrix provides.

Network locations correspond to the public IP ranges of the networks that your internal users con‑
nect from, such as your office or branch locations. Citrix Cloud uses public IP addresses to determine
whether the networks from which virtual apps or desktops launched are internal or external to the
company network. If a subscriber connects from the internal network, Citrix Cloud routes the connec‑
tion directly to the VDA, bypassing NetScaler Gateway. If a subscriber connects externally, Citrix Cloud
routes them through NetScaler Gateway, then directs the session traffic through the Citrix Cloud Con‑
nector to the VDA in the internal network. If the Citrix Gateway service is used and the Rendezvous
protocol is enabled, Citrix Cloud routes external users through the Gateway service to the VDA in the
internal network. Roaming clients such as laptops might use either of these network routes, depend‑
ing on whether the client is inside or outside the corporate network when the launch occurs.

Important:

If your environment includes Citrix DaaS Standard for Azure alongside on‑premises VDAs, config‑
uring Direct Workload Connection causes launches from the internal network to fail.

Remote Browser Isolation, Citrix Virtual Apps Essentials, and Citrix Virtual Desktops Essentials re‑
source launches always route through the gateway. These launches don’t gain performance improve‑
ments from configuring Direct Workload Connection.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 184

Citrix Workspace

Requirements

Network requirements

• Corporate network and guest Wi‑Fi networks must have separate public IP addresses. If your cor‑
porate and guest networks share public IP addresses, users on the guest network can’t launch
DaaS sessions.
• Use the public IP address ranges of the networks that your internal users connect from. Internal
users on these networks must have a direct connection to the VDAs. Otherwise, launches of
virtual resources fail as Workspace tries to route internal users directly to the VDA, which isn’t
possible.
• Although VDAs are typically located within your on‑premises network, you can also use VDAs
hosted within a public cloud such as Microsoft Azure. Client launches must have a network route
to contact the VDAs without being blocked by a firewall. This requires a VPN tunnel from your
on‑premises network to a virtual network where the VDAs reside.

TLS requirements

TLS 1.2 must be enabled in PowerShell when configuring your network locations. To force PowerShell
to use TLS 1.2, use the following command before using the PowerShell module:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType
]::Tls12

Workspace requirements

• You have a workspace configured in Citrix Cloud.

• Citrix DaaS is enabled in Workspace Configuration > Service Integrations.

Enable TLS for Workspace app for HTML5 connections

If your subscribers use Citrix Workspace app for HTML5 to launch apps and desktops, Citrix recom‑
mends that you have TLS configured on the VDAs in your internal network. Configuring your VDAs to
use TLS connections ensures direct launches to VDAs are possible. If VDAs don’t have TLS enabled,
app and desktop launches must be routed through a gateway when subscribers use Citrix Workspace
app for HTML5. Launches using the Desktop Viewer aren’t affected. For more information about se‑
curing direct VDA connections with TLS, see CTX134123 in the Citrix Support Knowledge Center.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 185

Citrix Workspace

Add network locations through the GUI

Direct Workload Connection configuration through Citrix Cloud involves creating network locations
using the public IP address ranges of each branch location that your internal users connect from.

1. In the Citrix Cloud console, navigate to Network Locations.

2. Click Add network location.

3. Enter a network location name and public IP address range for the location.

4. Click Save.

5. Repeat these steps for each new network location that you want to add.

Note:

Location tags are not required for Direct Workload Connection because the connectivity type is
always Internal. The Location tags field in the Add a Network Location page (Citrix Cloud >
Network Locations > Add a Network Location > Location tags) is only visible if the Adaptive
Access feature is enabled. For details, see Enable the Adaptive Access feature.

Modify or remove network locations

1. In the Citrix Cloud console, navigate to Network Locations from the main menu.

2. Locate the network location that you want to manage and click the ellipses button.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 186

Citrix Workspace

3. Select one of the following commands:

• Select Edit to modify the network location. After making changes, click Save.
• Select Delete to remove the network location. Select Yes, delete to confirm the deletion.
You can’t undo this action.

Add and modify network locations with PowerShell

Instead of using the Citrix Cloud management console interface, you can use a PowerShell script to
configure Direct Workload Connection. Direct Workload Connection configuration with PowerShell
involves the following tasks:

1. Determine the public IP address ranges of each branch location that your internal users connect
from.
2. Download the PowerShell module.
3. Create a secure API client in Citrix Cloud and make a note of the Client ID and secret.
4. Import the PowerShell module and connect to the Network Location Service (NLS) with your
API client details.
5. Create NLS sites for each of your branch locations with the public IP address ranges that you
previously determined. Direct Workload Connection is automatically enabled for any launches
that come from the internal network locations you’ve specified.
6. Launch an app or desktop from a device on your internal network and verify that the connection
goes directly to the VDA, bypassing the Gateway. For more information, see ICA file logging in
this article.

Download the PowerShell module

Before you set up your network locations, download the Citrix‑provided PowerShell module
(nls.psm1) from the Citrix GitHub repository. Using this module, you can set up as many network
locations as needed for your VDAs.

1. In a web browser, go to https://github.com/citrix/sample‑scripts/blob/master/workspace/NL

S2.psm1.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 187

Citrix Workspace

2. Press ALT while clicking the Raw button.

3. Select a location on your computer and click Save.

Required configuration details

To set up your network locations, you need the following required information:

• Citrix Cloud secure client customer ID, client ID, and client secret. To obtain these values, see
Create a secure client in this article.
• Public IP address ranges for the networks where your internal users are connecting from. For
more information about these public IP address ranges, see Requirements in this article.

Create a secure client

1. Sign in to Citrix Cloud at https://citrix.cloud.com.

2. From the Citrix Cloud menu, select Identity and Access Management and then select API Ac‑
cess.

3. On the Secure Clients tab, note your customer ID.

4. Enter a name for the client and then select Create Client.

5. Copy the client ID and client secret.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 188

Citrix Workspace

Configure network locations

1. Open a PowerShell command window and navigate to the same directory where you saved the
PowerShell module.
2. Import the module: Import-Module .\nls.psm1 -Force
3. Set the required variables with your secure client information from Create a secure client:

• $clientId = "YourSecureClientID"
• $customer = "YourCustomerID"
• $clientSecret = "YourSecureClientSecret"

4. Connect to the Network Location Service with your secure client credentials:

1 Connect-NLS -clientId $clientId -clientSecret $clientSecret -

customer $customer

5. Create a network location, replacing the parameter values with the values that correspond to
the internal network where your internal users are directly connecting from:

1 New-NLSSite -name "YourSiteName" -tags @("YourTags") -ipv4Ranges @

("PublicIpsOfYourNetworkSites") -longitude 12.3456 -latitude
12.3456 -internal $True

To specify a single IP address instead of a range, add /32 to the end of the IP address. For exam‑
ple:

1 New-NLSSite -name "YourSiteName" -tags @("YourTags") -ipv4Ranges @

("PublicIpOfYourNetworkSite/32") -longitude 12.3456 -latitude
12.3456 -internal $True

Important:

When using the New-NLSSite command, include at least one value for each parameter. If

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 189

Citrix Workspace

you run this command without any command‑line arguments, PowerShell prompts you to
enter the appropriate values for each parameter, one at a time. The internal property
is a mandatory Boolean property with possible values: $True or $False that maps to
the UI via PowerShell. For example, (UI)Network Internal -> (PowerShell)–
internal=$True.

When the network location is created successfully, the command window displays the details
of the network location.

6. Repeat Step 5 for all your network locations where users are connecting from.

7. Run the command Get-NLSSite to return a list of all the sites you’ve configured with NLS
and verify that their details are correct.

Modify network locations

To change an existing network location:

1. From a PowerShell command window, list all existing network locations: Get-NLSSite

2. To modify the IP range for a specific network location, type

(Get-NLSSite)[N] | Set-NLSSite -ipv4Ranges @("1.2.3.4/32","

4.3.2.1/32")

where [N] is the number corresponding to the location in the list (starting with zero) and "
1.2.3.4/32","4.3.2.1/32" are the comma‑separated IP ranges you want to use. For
example, to modify the first listed location, you type the following command:

(Get-NLSSite)[0] | Set-NLSSite -ipv4Ranges @("98.0.0.1/32","

141.43.0.0/24")

Remove network locations

To remove network locations that you no longer want to use:

1. From a PowerShell command window, list all existing network locations: Get-NLSSite
2. To remove all network locations, type Get-NLSSite | Remove-NLSSite
3. To remove specific network locations, type (Get-NLSSite)[N] | Remove-NLSSite,
where [N] is the number corresponding to the location in the list. For example, to remove the
first listed location, you type (Get-NLSSite)[0] | Remove-NLSSite.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 190

Citrix Workspace

Verify that internal launches are routed correctly

To verify that internal launches are accessing VDAs directly, use one of the following methods:

• View VDA connections through the DaaS console.

• Use ICA file logging to verify the correct addressing of the client connection.

Citrix DaaS console

Select Manage > Monitor and then search for a user with an active session. In the Session Details
section of the console, direct VDA connections display as UDP connections while gateway connections
display as TCP connections.

If you don’t see UDP on the DaaS Console then you must enable the HDX Adaptive Transport Policy
for the VDAs.

ICA file logging

Enable ICA file logging on the client computer as described in To enable logging of the launch.ica file.
After launching sessions, examine the Address and SSLProxyHost entries in the log file.

Direct VDA connections For direct VDA connections, the Address property contains the VDA’s IP
address and port.

Here’s an example of an ICA file when a client launches an application using the NLS:

1 [Notepad++ Cloud]
2 Address=;10.0.1.54:1494
3 SSLEnable=Off

The SSLProxyHost property isn’t present in this file. This property is included only for launches
through a gateway.

Gateway connections For gateway connections, the Address property contains the Citrix Cloud
STA ticket, the SSLEnable property is set to On, and the SSLProxyHost property contains the gate‑
way’s FQDN and port.

Here’s an example of an ICA file when a client has a connection through the Citrix Gateway service
and launches an application:

1 [PowerShell ISE Cloud]

2 Address=;40;CWSSTA;027C02199068B33889A40C819A85CBB4
3 SSLEnable=On
4 SSLProxyHost=global.g.nssvcstaging.net:443

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 191

Citrix Workspace

Here’s an example of an ICA file when a client has a connection through an on‑premises gateway and
launches an application using an on‑premises gateway that is configured within the resource loca‑
tion:

1 [PowerShell ISE Cloud]

2 Address=;40;CWSSTA;027C02199068B33889A40C819A85CBB5
3 SSLEnable=On
4 SSLProxyHost=onpremgateway.domain.com:443

Note:

On‑premises gateway virtual servers that are used to launch virtual apps and desktops must be
VPN virtual servers, not nFactor authentication virtual servers. The nFactor authentication vir‑
tual servers are for user authentication only and don’t proxy resource HDX and ICA launch traffic.

Example script

The example script includes all commands that you might need to add, modify, and remove the pub‑
lic IP address ranges for your branch locations. However, you don’t need to run all commands to per‑
form any single function. For the script to run, always include the first 10 lines, from Import‑Module
through Connect‑NLS. Afterward, you can include only the commands for the functions you want to
perform.

1 Import-Module .\nls.psm1 -Force

2
3 $clientId = "XXXX" #Replace with your clientId
4 $clientSecret = "YYY" #Replace with your clientSecret
5 $customer = "CCCCCC" #Replace with your customerid
6
7 # Connect to Network Location Service
8 Connect-NLS -clientId $clientId -clientSecret $clientSecret -customer
$customer
9
10 # Create a new Network Location Service Site (Replace with details
corresponding to your branch locations)
11 New-NLSSite -name "New York" -tags @("EastCoast") -ipv4Ranges @("
1.2.3.0/24") -longitude 40.7128 -latitude -74.0060 -internal $True
12
13 # Get the existing Network Location Service Sites (optional)
14 Get-NLSSite
15
16 # Update the IP Address ranges of your first Network Location Service
Site (optional)
17 $s = (Get-NLSSite)[0]
18 $s.ipv4Ranges = @("1.2.3.4/32","4.3.2.1/32")
19 \$s | Set-NLSSite
20
21 # Remove all Network Location Service Sites (optional)
22 Get-NLSSite | Remove-NLSSite

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 192

Citrix Workspace

23
24 # Remove your third site (optional)
25 \(Get-NLSSite)\[2] | Remove-NLSSite

Troubleshooting

VDA launch failures

If VDA sessions are failing to launch, verify you’re using public IP address ranges from the correct net‑
work. When configuring your network locations, you must use the public IP address ranges of the
network where your internal users are connecting from to reach the Internet. For more information,
see Requirements in this article.

Internal VDA launches still routed through the gateway

If VDA sessions launched internally are still being routed through the gateway as if they were external
sessions, verify you’re using the correct public IP address that your internal users are connecting from
to reach their workspace. The public IP address listed in the NLS site must correspond to the address
that the client launching the resources uses to access the Internet. To obtain the correct public IP
address for the client, log on to the client machine, visit a search engine, and enter “what is my ip”in
the search bar.

All clients that launch resources within the same office location typically access the Internet using the
same network egress public IP address. These clients must have an internet network route to the sub‑
nets where the VDAs reside, which isn’t blocked by a firewall. For more information, see Requirements
in this article.

Errors when running PowerShell cmdlets on non‑Windows platforms

If you experience errors when running cmdlets with the correct parameters on PowerShell Core, ver‑
ify that the operation was carried out successfully. For example, if you experience errors when run‑
ning the New‑NLSSite cmdlet, run Get-NLSSite to verify that the site was created. Running these
cmdlets on macOS or Linux platforms using PowerShell Core can result in an error even though the
operation ran successfully.

If you experience this issue when running cmdlets with the correct parameters on a Windows platform
using PowerShell, ensure you’re using the latest version of the PowerShell module. With the latest
version of the PowerShell module, this issue does not occur on Windows platforms.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 193

Citrix Workspace

Additional help and support

For troubleshooting help or questions, contact your Citrix sales representative or Citrix Support.

Service continuity

November 28, 2024

Service continuity removes or minimizes dependence on the availability of components involved in

the connection process. Users can launch their Citrix DaaS apps and desktops regardless of the cloud
services health status.

Service continuity allows users to connect to their DaaS apps and desktops during outages, as long
as the user device maintains a network connection to a resource location. Users can connect to DaaS
apps and desktops during outages in Citrix Cloud components or in public and private clouds. Users
can connect directly to the resource location or through the Citrix Gateway Service.

Service continuity improves the visual representation of published resources during outages by using
Progressive Web Apps service worker technology to cache resources in the user interface.

Service continuity uses Workspace connection leases to allow users to access apps and desktops
during outages. Workspace connection leases are long‑lived authorization tokens. Workspace con‑
nection lease files are securely cached on the user device. When a user signs in to Citrix Workspace,
Workspace connection lease files are saved to the user profile for each resource published to the user.
Service continuity lets users access apps and desktops during an outage even if the user has never
launched an app or desktop before. Workspace connection lease files are signed and encrypted and
are associated with the user and the user device. When service continuity is enabled, a Workspace con‑
nection lease allows users to access apps and desktops for seven days by default. You can configure
Workspace connection leases to allow access for up to 30 days.

When users exit Citrix Workspace app, Citrix Workspace app closes but the Workspace connection
leases are retained. Users exit the Citrix Workspace app by right‑clicking its icon in the system tray
or by restarting the user device. You can configure service continuity to delete or retain Workspace
connection leases when users sign out of Citrix Workspace during an outage. By default, Workspace
connection leases are deleted from user devices when users sign out during an outage.

Service continuity is supported for double hop scenarios when Citrix Workspace app is installed on a
virtual desktop.

For an in‑depth technical article about Citrix Cloud resiliency features, including service continuity,
see Citrix Cloud Resiliency.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 194

Citrix Workspace

Note:

The deprecated Citrix DaaS feature called “connection leasing”resembles Workspace connection
leases in that it improved connection resiliency during outages. Otherwise, that deprecated fea‑
ture is unrelated to service continuity.

User device setup

To access resources during an outage, users must sign in to Citrix Workspace before the outage occurs.
When you enable service continuity, users must perform the following steps on their devices:

1. Download and install a supported version of Citrix Workspace app.

2. Add the Workspace URL for your organization to Citrix Workspace app (for example, https://
example.cloud.com).

3. Sign in to Citrix Workspace.

When a user signs into Citrix Workspace for the first time, service continuity downloads Workspace
connection leases to the user device.

Downloading Workspace connection leases might take up to 15 minutes for first‑time sign‑in. Users
can continue launching published resources during the download period.

User experience during an outage

When service continuity is enabled, the user experience during an outage varies depending on:

• The type of outage

• Whether the Citrix Workspace app is configured with domain pass‑through authentication
• Whether session sharing is enabled for the app or desktop the user connects to

For some outages, users continue accessing their DaaS with no change to their user experience. For
other outages, user might see a change in how Workspace appears or be prompted to take some ac‑
tion.

This table summarizes how service continuity helps users access apps and desktops during different
types of outages.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 195

Citrix Workspace
Where the outage occurs
Citrix Workspace service
Identity provider
Citrix Cloud Broker Service
Secure Ticket Authority
Citrix Gateway service
© 1999–2024 Cloud Software Group, Inc. All rights reserved.
How service continuity
maintains user access
Citrix Workspace app
enumerates apps and desktops
based on local cache on the
user device.
Citrix Workspace app and
enumerates apps and desktops
based on local cache on the
user device.
The High Availability Service in
the Cloud Connector takes over
brokering. All VDAs that were
registered with the Cloud
Broker Service register with the
High Availability Service.
Workspace connection leases
provide access to virtual
resources when ICA files can’t.
Network traffic fails over to the
closest healthy Citrix Gateway
service point of presence
(POP).
User experience during outage
Icons for unavailable apps and
desktops appear dimmed.
Users can still access apps and
desktops that have undimmed
icons. After clicking an
undimmed icon, users might be
prompted to reenter their
credentials at the VDA. To
regain access to all their apps
and desktops, users can try to
establish their connection to
Workspace by clicking the
“Reconnect to Workspace”link.
Users might be unable to sign
in to Workspace. Users click the
“Use Workspace offline”link to
access some apps and desktops
in an experience identical to a
Workspace service outage.
Some users might be unable to
access virtual resources while
VDAs register with the High
Availability Service. Existing
sessions aren’t affected. No
user action needed.
Sessions launches might take a
few seconds longer. No user
action needed.
Existing sessions might take a
few seconds to reconnect. No
user action needed.
196
Citrix Workspace

How service continuity

Where the outage occurs maintains user access User experience during outage

Internet connection on the LAN
Citrix Workspace app
enumerates apps and desktops
based on local cache on the
user device. If a user has a
direct network connection to
the resource location, Citrix
Workspace app bypasses the
Citrix Gateway service when
the user clicks undimmed icons.
Citrix Workspace app contacts
the Cloud Connector over TCP
2598 and contacts VDAs over
TCP 2598 or UDP 2598.
Icons for unavailable apps and
desktops appear dimmed.
Users can still access apps and
desktops that have undimmed
icons. After clicking an
undimmed icon, users might be
prompted to reenter their
credentials at the VDA. To
regain access to all their apps
and desktops, users can try to
establish their connection to
Workspace by clicking the
“Reconnect to Workspace”link.

For information about validating outage scenarios in a non‑production environment, refer to the Ser‑
vice Continuity Companion Guide.

During a Citrix Workspace outage, users see this message at the top of the Citrix Workspace home page:
“Unable to connect to some of your resources. Some virtual apps and desktop may still be available.”
Users see apps and desktops that they can connect to during the outage. If the app or desktop isn’t
available, the icon appears dimmed.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 197

Citrix Workspace

To access available resources during an outage, users select a resource icon that isn’t dimmed. If
prompted, the user then reenters their AD credentials at the VDA before accessing resources.

During an outage in the identity provider for workspace authentication, users might be unable to sign
in to Citrix Workspace through the Workspace sign‑in page. After 40 seconds, this message appears at
the top of the Citrix Workspace home page.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 198

Citrix Workspace

Afterward, the Citrix Workspace home page appears. Users then access resources as they would dur‑
ing a Citrix Workspace outage.

Regardless of the type of outage, users can continue to access resources if they exit and relaunch Citrix
Workspace app. Users can restart their user devices without losing access to resources.

In the default configuration of service continuity, users lose access to their resources if they sign out
of Citrix Workspace. If you want users to retain access to their resources after signing out, specify that
Workspace connection leases are kept when users sign out. See Configure service continuity.

Depending on how Citrix Workspace app and VDAs are configured, during an outage the VDA might
prompt users to enter their credentials into the Windows Logon user interface. If this prompt occurs,
users enter their Active Directory (AD) credentials or smart card PIN to access the app or desktop. This
step is required when user credentials aren’t passed through during outages. Before accessing an app
or desktop, users must reauthenticate to the VDA.

Users can access resources without entering their AD credentials if:

• Citrix Workspace is configured for single sign‑on during installation by selecting the single sign‑
on box.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 199

Citrix Workspace

• Citrix Workspace app is configured with domain pass‑through authentication. Users can access
any available resource during a Citrix Workspace outage without entering their credentials. For
information about configuring domain pass‑through authentication for Citrix Workspace app
for Windows, see Configure single sign‑on using the graphical user interface, found in the Au‑
thenticate documentation.
Note

StoreFront isn’t needed to allow single sign‑on to your VDA during an outage.

• Session sharing is enabled. Users can access apps or desktops hosted on the same VDA after
they provide their credentials for one resource on that VDA. Session sharing is configured for
the application group containing the resource on the VDA. For information about configuring
application groups, see Create application groups.

In all other configurations, users are prompted to reenter their AD credentials at the VDA before ac‑
cessing resources.

Requirements and limitations

Site requirements

• Supported in all editions of Citrix DaaS and Citrix DaaS Standard for Azure, when using Work‑
space Experience.

• Not supported for Citrix Workspace with site aggregation to on‑premises Virtual Apps and Desk‑
tops.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 200

Citrix Workspace

• Not supported when on‑premises Citrix Gateway is used as an ICA Proxy. (Using Citrix Gateway
as a Workspace authentication method is supported.)

• Not supported for Citrix Cloud Government environments.

User device requirements

Minimum supported Citrix Workspace app versions:

• Citrix Workspace app for Windows 2106

• Citrix Workspace app for Linux 2106
• Citrix Workspace app for Mac 2106
• Citrix Workspace app for Android 22.2.0
• Citrix Workspace app for iOS 22.4.5
• Citrix Workspace app for ChromeOS 2301

Note:

For information on installing Citrix Workspace app for Linux, including information about in‑
stalling the app for use with service continuity, see Citrix Workspace app for Linux.

• For users who access their apps and desktops using browsers:

– Google Chrome or Microsoft Edge.

– Citrix Workspace app 2109 for Windows at a minimum. Supported with Google Chrome
and Microsoft Edge.
– Citrix Workspace app for Mac version 2112 at a minimum for use with Google Chrome.
– Citrix Workspace app for Mac version 2206 at a minimum for use with Safari browser.

See Service continuity in browser.

• Only one user per device is supported. Kiosk or “hot desk”user devices aren’t supported.

Supported workspace authentication methods

• Active Directory
• Active Directory plus token
• Azure Active Directory
• Okta
• Citrix Gateway (primary user claim must be from AD)
• SAML 2.0
• Conditional Authentication

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 201

Citrix Workspace

Authentication limitations

• Single sign‑on with Citrix Federated Authentication Service (FAS) isn’t supported. Users enter
their AD credentials into the Windows Logon user interface on the VDA.
• Single sign‑on to VDA isn’t supported.
• Local mapped accounts aren’t supported.
• VDAs joined to Microsoft Entra ID (formerly Microsoft Azure AD) aren’t supported. All VDAs must
be joined to an AD domain.

Citrix Cloud Connector scale and size

• 4 vCPU or more
• 6 GB memory or more

Citrix Cloud Connector Powershell Security

Make sure script execution is enabled by setting the Execution Policy to remotedSigned value appro‑
priate for your environment.
Other script execution privileges can also work, like Default or AllSigned.

Citrix Cloud Connector connectivity

Citrix Cloud Connector must be able to reach https://rootoftrust.apps.cloud.com. Con‑

figure your firewall to allow this connection. For information about the Cloud Connector firewall, see
Cloud Connector Proxy and Firewall Configuration.

Workspace app network connectivity

If you configure connection to your resource location from outside your LAN, the Workspace app on
user devices must be able to reach the Citrix Gateway Service FQDN, https://*.g.nssvc.net.
Ensure that your firewall is configured to allow outgoing traffic to https://global-s.g.nssvc
.net:443, so that user devices can connect to the Citrix Gateway Service at all times.

Connectivity optimization limitations

Advanced Endpoint Analysis (EPA) isn’t supported.

Enlightened Data Transport (EDT) isn’t supported during outages.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 202

Citrix Workspace

VDA requirements and limitations

• VDA 7.15 LTSR or any current release that hasn’t reached end of life are supported.

• VDAs joined to Microsoft Entra ID aren’t supported. All VDAs must be joined to an AD domain.

• VDAs must be online for users to access VDA resources during an outage. VDA resources aren’t
available when the VDA is affected by outages in:

– AWS
– Azure
– Cloud Delivery Controller, unless Autoscale is enabled for the delivery group delivering the
resource

• VDA workloads supported during outages:

– Hosted shared apps and desktops

– Random non‑persistent desktops (pooled VDI desktop) with power management
– Static non‑persistent desktops
– Static persistent desktops, including Remote PC Access

Note:

Assign on first use isn’t support during outages. Random non‑persistent desktops with
power management are unavailable by default if Cloud Connectors lose connectivity with
Citrix Cloud unless ReuseMachinesWithoutShutdownInOutage is configured for
the delivery group. Review Application and desktop support for more details.

For more information about available VDA functions during outages, see VDA management during
outages.

Local keyboard mapping requirements and limitations

The Windows Logon user interface that prompts users to reauthenticate on the VDA does not support
local keyboard language mapping. To allow users to reauthenticate during an outage if they have local
keyboard language mapping on their devices, preload the keyboard layouts these users require.

Warning:

Editing the registry incorrectly can cause serious problems that might require you to reinstall
your operating system. Citrix can’t guarantee that problems resulting from the incorrect use of
the Registry Editor can be solved. Use the Registry Editor at your own risk. Be sure to back up
the registry before you edit it.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 203

Citrix Workspace

Edit this registry key in the VDA image:

HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
The corresponding language pack in the virtual desktop image must be installed.
For a list of keyboard identifiers associated with keyboard languages, see Keyboard Identifiers and
Input Method Editors for Windows.

Configure resource location network connectivity for service continuity

You can configure your resource location to accept connections from inside your LAN, outside your
LAN, or both.

Configure for connections inside your LAN

1. From the Citrix Cloud menu, go to Workspace Configuration > Access.

2. Select Configure Connectivity.
3. Select Internal Only as your connectivity type.
4. Click Save.

Configure your Citrix Cloud Connector and VDA firewalls to accept connections over Common Gateway
Protocol (CGP) TCP port 2598. This configuration is the default setting.

Configure for connections from outside your LAN

1. From the Citrix Cloud menu, go to Workspace Configuration > Access.

2. Select Configure Connectivity.
3. Select Gateway Service as your connectivity type.
4. Click Save.

Configure for connections both from outside and inside your LAN

Run this PowerShell command:

Set-ConfigZone -InputObject (get-configzone -ExternalUid YourResourceLocationE
)-EnableHybridConnectivityForResourceLeases $true
Replace YourResourceLocationExternalUid with the external UID of the resource loca‑
tion.
This command allows direct connections to the Citrix Cloud Connector FQDN over TCP 2598 during
outages. If that connection fails Gateway Service is used as fallback. Allow internal users to bypass
the gateway and connect directly to the resource location reduces latency internal network traffic.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 204

Citrix Workspace

Note:

This PowerShell command is similar to Direct Workload Connection in that it optimizes connec‑
tivity to workspaces by allowing internal users to bypass the gateway and connect to VDAs di‑
rectly. When service continuity is enabled, Direct Workload Connection is not available during
outages.

Configure service continuity

To enable service continuity for your site:

1. From the Citrix Cloud menu, go to Workspace Configuration > Service Continuity.

2. Set Connection leasing for the Workspace to Enable.

3. Set Connection lease period to the number of days a Workspace connection lease can be used
to maintain a connection. The Workspace connection lease period applies to all Workspace
connection leases through your site. The Workspace connection lease period starts the first time
a user signs in to the Citrix Cloud Workspace store. Workspace connection leases are refreshed
each time the user signs in, up to once a day. The Workspace connection lease period can be
from one day to 30 days. The default is seven days.

4. Click Save.

When you enable service continuity, it is enabled for all delivery groups in your site. To disable service
continuity for a delivery group, use the following PowerShell command:

Set-BrokerDesktopGroup -name <deliverygroup> -ResourceLeasingEnabled

$false

Replace deliverygroup with the name of the delivery group.

By default, Workspace connection leases are deleted from the user device if the user signs out of Citrix
Workspace during an outage. If you want Workspace connection leases to remain on user devices after
users sign out, use the following PowerShell command:

Set-BrokerSite -DeleteResourceLeasesOnLogOff $false

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 205

Citrix Workspace

Note:

Workspace connection leases can’t be set to remain on user devices after users sign out for users
connecting with Citrix Workspace app for Mac. Citrix Workspace for Mac is unable to read the
value of the DeleteResourceLeaseOnLogOff property.

How service continuity works

If there’s no outage, users access virtual apps and desktops using ICA files. Citrix Workspace generates
a unique ICA file each time a user selects a virtual app or desktop icon. Each ICA file contains a Secure
Ticket Authority (STA) ticket and a logon ticket that can be redeemed only once to gain authorized
access to virtual resources. The tickets in each ICA file expire after about 90 seconds. After the ticket in
an ICA file is used or expires, the user needs another ICA file from Citrix Workspace to access resources.
When service continuity isn’t enabled, outages can prevent users from accessing resources if Citrix
Workspace can’t generate an ICA file.
Citrix Workspace generates ICA files when users launch virtual apps and desktops regardless of
whether service continuity is enabled. When service continuity is enabled, Citrix Workspace also gen‑
erates the unique set of files that make up a Workspace connection lease. Unlike ICA files, Workspace
connection lease files are generated when the user signs into Citrix Workspace, not when the user
launches the resource. When a user signs in to Citrix Workspace, connection lease files are generated
for every resource published to that user. Workspace connection leases contain information that
gives the user access to virtual resources. If an outage prevents a user from signing in to Citrix
Workspace or accessing resources using an ICA file, the connection lease provides authorized access
to the resource.

How sessions launch during outages

When users click an icon for an app or desktop during an outage, the Citrix Workspace app finds the
corresponding Workspace connection lease on the user device. Citrix Workspace app then opens a
connection. If connectivity to the resource location that hosts the app or desktop is configured to
accept connections from outside your LAN, a connection opens to Citrix Gateway Service. If you con‑
figure connectivity to the resource location that hosts the app or desktop to accept connections from
inside your LAN only, a connection opens to the Cloud Connector.
When the Citrix Cloud broker is online, the Cloud Connector uses the Citrix Cloud broker to resolve
which VDA is available. When the Citrix Cloud broker is offline, the secondary broker for the Cloud Con‑
nector (also known as the High Availability service) listens for and processes connection requests.
Users who are connected when an outage occurs can continue working uninterrupted. Reconnections
and new connections experience minimal connection delays. This functionality is similar to Local Host
Cache, but does not require an on‑premises StoreFront.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 206

Citrix Workspace

When a user launches a session during an outage, this window appears indicating that Workspace
connection leases were used for the session launch:

After the user has finished signing into the session, these properties appear in the Workspace Connec‑
tion Center:

The launch mode property provides information about the Workspace connection leases used to

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 207

Citrix Workspace

launch the session.

On devices running Citrix Workspace app for Mac, Citrix Viewer displays information showing that
Workspace connection leases were used for the session launch:

What makes it secure

All sensitive information in the Workspace connection lease files is encrypted with the AES‑256 ci‑
pher. Workspace connection leases are bound to a public/private key pair uniquely associated with
the specific client device and can’t be used on a different device. A built‑in cryptographic mechanism
enforces use of the unique key pair on each device.

Workspace connection leases are stored on the user device in AppData\Local\Citrix\SelfService\ConnectionLeases.

The security architecture of service continuity is built on public‑key cryptography, similarly to a pub‑
lic key infrastructure (PKI), but without certificate chains and certificate authorities. Instead, all the
components establish transitive trust by relying on a new Citrix Cloud service called the root of trust
that acts like a certificate authority.

Block connection leases

If a user device is lost or stolen, or a user account is closed or compromised, you can block Workspace
connection leases. When you block Workspace connection leases associated with a user, the user can’
t connect to resources. Citrix Cloud no longer generates or synchronizes Workspace connection leases
for the user.

When you block Workspace connection leases associated with a user account, you block connections
to that account on all devices associated with it. You can block Workspace connection leases for a
user or for all users in a user group.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 208

Citrix Workspace

To revoke Workspace connection leases for a single user or user group, use this PowerShell com‑
mand:

Set-BrokerConnectionLeaseRevocationDate -Name username -LeaseRevocationDays

Days

Replace username with the user associated with the account you want to block from connecting. Re‑
place username with a user group to block connection from all accounts in the user group. Replace
Days with the number of days connections are blocked.

For example, to block connections for xd.local/user1 for the next 7 days, type:

1 Set-BrokerConnectionLeaseRevocationDate -Name xd.local/user1 -

LeaseRevocationDays 7

To view the time period for which Workspace connection leases are revoked, use this PowerShell com‑
mand:

Get-BrokerConnectionLeaseRevocationDate -Name username

Replace username with the user or user group you want to view the time period for.

For example, to view the time period for which Workspace connection leases are revoked for
xd.local/user1, type:

1 Get-BrokerConnectionLeaseRevocationDate -Name xd.local/user2

This information appears:

1 FullName :
2 Name : XD\user2
3 UPN :
4 Sid : S-1-5-21-nnnnnn
5 LeaseRevocationDays : 2
6 LeaseRevocationDateTimeInUtc : 2020-12-17T17:34:25Z
7 LastUpdateDateTimeInUtc : 2020-12-19T17:34:25Z

From this output, you can see that user xd.local/user2 has Workspace connection leases revoked for
two days, from December 17, 2020, through December 19, 2020, at 17:34:25 UTC on each day.

To allow a user account that has Workspace connection leases revoked to receive connection again,
remove the block using this PowerShell command:

Remove-BrokerConnectionLeaseRevocationDate -Name username

Replace username with the blocked user or user group you want to receive connection. To allow all
blocked user account to receive connections, leave out the Name option.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 209

Citrix Workspace

Double hop scenarios

Service continuity can allow users to access virtual resources during outages in double hop scenarios
if they’re signed in to Citrix Workspace before the outage occurs. In a double hop scenario, a physical
user device connects to a virtual desktop that has Citrix Workspace app installed. The virtual desktop
then connects to another virtual resource.
In the double hop scenario, service continuity can allow users to access virtual resources during an
outage regardless of the type of virtual desktop. If the virtual desktop retains user changes, service
continuity can also provide access to virtual resources during outages that occur while the user isn’t
signed in.
Service continuity treats the physical user device and the virtual device in a double hop scenario as
individual client endpoints. Each device has its own set of Workspace connection leases. When a user
signs in to Citrix Workspace on a physical device, Workspace connection lease files are downloaded
and saved to the user profile on the physical device. The user then accesses a virtual desktop and signs
in to Citrix Workspace on the virtual desktop. At this point, a different set of Workspace connection
leases is downloaded and saved the user profile on the virtual desktop. Workspace connection lease
files are associated with the device they’re downloaded to. Workspace connection lease files can’t be
copied to another device and reused, even by the same user. Thus, service continuity can’t provide
access to resources during outages that occur after the session ends if the virtual desktop discards
changes made during a user session. For this type of virtual desktop, Workspace connection leases
are among the changes discarded.
Here’s how service continuity works in double hop scenarios with each type of supported virtual desk‑
top.

Service continuity can provide access to virtual

For double hops that include… resources during outages…

Hosted shared desktops If the outage occurs while the user is signed in to
the virtual desktop.
Random non‑persistent desktops (pooled VDI If the outage occurs while the user is signed in to
desktop) the virtual desktop.
Static non‑persistent desktops If the virtual desktop hasn’t restarted since the
user last logged in.
Static persistent desktops Anytime an outage occurs.

VDA management during outages

Service continuity uses the Local Host Cache function within the Citrix Cloud Connector. Local Host
Cache allows connection brokering to continue on a site when the connection between the Cloud

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 210

Citrix Workspace

Delivery Controller and the Cloud Connector fails. Because service continuity relies on Local Host
Cache, it shares some limitations with Local Host Cache.
Note:

Although service continuity uses Local Host Cache within the Cloud Connector, unlike Local Host
Cache, service continuity isn’t supported with on‑premises StoreFront.

Power management of VDAs during outages

If Cloud Connectors lose connectivity to Citrix Cloud, Connectors are unable to to receive hypervisor
credentials from Citrix Cloud. This means:

• During an outage, all machines are in the unknown power state and no power operations can
be issued. However, VMs on the host that are powered‑on can be used for connection requests.

By default, power‑managed desktop VDAs in pooled delivery groups that have the Shutdown‑
DesktopsAfterUse property enabled are not available for new connections if Cloud Connec‑
tors lose connectivity with Citrix Cloud. You can change this setting to allow those desk‑
tops to be used if Cloud Connectors lose connectivity with Citrix Cloud by configuring the
ReuseMachinesWithoutShutdownInOutage flag on your delivery groups. Changing the
ReuseMachinesWithoutShutdownInOutage parameter to $true can result in data from
previous user sessions to be present on the VDA until it is restarted.

Power management resumes when normal operations resume after an outage.

Machine assignment and automatic enrollment

An assigned machine can be used only if the assignment occurred during normal operations. New
assignments cannot be made during an outage.

Automatic enrollment and configuration of Remote PC Access machines isn’t possible. However, ma‑
chines that were enrolled and configured during normal operation are usable.

VDA resources in different zones

Server‑hosted applications and desktop users might use more sessions than their configured session
limits, if the resources are in different zones.

Unlike Local Host Cache, service continuity can launch apps and desktops from registered VDAs in dif‑
ferent zones, providing the resource is published in more than one zone. Citrix Workspace app might
take longer to find a healthy zone as it cycles sequentially through all the zones in the Workspace
connection lease.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 211

Citrix Workspace

Monitoring and troubleshooting

Service continuity performs two main actions:

• Download Workspace connection leases to the user device. Workspace connection leases are
generated and synced with the Citrix Workspace app.
• Launch virtual desktops and apps using Workspace connection leases.

Troubleshooting downloading Workspace connection leases

You can view Workspace connection leases at this location on the user device.

On Windows devices:

C:\Users\Username\AppData\Local\Citrix\SelfService\ConnectionLeases\
Store GUID\User GUID\leases

Username is the user name.

Store GUID is the global unique identifier of the Workspace store.

User GUID is the global unique identifier of the user.

On Mac devices:

$HOME/Library/Application Support/Citrix Receiver/CLSyncRoot

For example, open /Users/luca/Library/Application Support/Citrix Receiver/

CLSyncRoot

On Linux:

$HOME/.ICAClient/cache/ConnectionLease

For example, open /home/user1/.ICAClient/cache/ConnectionLease

Workspace connection leases are generated when the Citrix Workspace app connects to the Work‑
space store. View registry key values on the user device to determine whether the Citrix Workspace
app has successfully contacted the Workspace connection lease service in Citrix Cloud.

Open regedit on the user device and view this key:

HKCU\Software\Citrix\Dazzle\Sites\store-xxxx

If these values appear in the registry key, the Citrix Workspace app contacted or attempted to contact
the Workspace connection lease service:

• leaseLastCallHomeTime
• leaseLastSyncStatus

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 212

Citrix Workspace

If the Citrix Workspace app tried unsuccessfully to contact the Workspace connection lease service,
leaseLastCallHomeTime shows an error with an invalid time stamp:

leaseLastCallHomeTime REG_SZ 1/1/0001 12:00:00 AM

If leaseLastCallHomeTime is uninitialized, the Citrix Workspace app never attempted to contact

the Workspace connection lease service. To resolve this issue, remove the account from the Citrix
Workspace app and add it again.

Citrix Workspace app error codes for Workspace connection leases

When a service continuity error occurs on the user device, an error code appears in the error message.
Common errors include:

Error code Description

3000 No connection lease files present

3002 Connection lease cannot be read or found
3003 No resource location found
3004 Connection details missing in the leases
3005 ICA file is empty
3006 Connection lease expired. Log back into
Workspace.
3007 Connection lease is invalid
3008 Connection lease validation result: empty
3009 Connection lease validation result: invalid
3010 Parameter missing
3020 Connection lease validation failed
3021 No resource location found where the app is
published
3022 Connection lease validation result: deny
3023 Citrix Workspace app timed out
3024 User canceled the lease‑based launch while in
progress
3025 Number of launch‑retry count exceeded
3026 Negotiated resource (app or desktop) can not be
launched

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 213

Citrix Workspace

Access selfservice.txt

To access the selfservice.txt file for self‑service troubleshooting, perform the following
steps:

1. Create a blank text file and name it enableshieldandlogging.reg.

2. Copy the following text into the file and save:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\Dazzle]
“Tracing”=”True”
“AuxTracing”=”True”
“DefaultTracingConfiguration”=”global all ‑detail”
“ConnectionLeasingEnabled”=”True”

[HKEY_CURRENT_USER\Software\Citrix\Dazzle]
“RemoteDebuggingPort”=”8088”

3. Place your saved file into your client endpoint.

4. The selfservice.txt file is now discoverable at the following path: %LocalAppData%\

Citrix\SelfService.

Service continuity in browser

Extensions for Google Chrome and Microsoft Edge make service continuity available to Windows users
who access their apps and desktops using those browsers. The extensions are called a Citrix Work‑
space Web extension and are available at the Chrome web store and the Microsoft Edge Add‑on web‑
site.

These browser extensions require a native Citrix Workspace app on the user device to support service
continuity. These versions are supported:

• Citrix Workspace app 2109 for Windows at a minimum. Supported with Google Chrome and
Microsoft Edge.
• Citrix Workspace app for Mac version 2112 at a minimum. Supported with Google Chrome.
• Citrix Workspace app for Mac version 2206 at a minimum for use with Safari browser.

Citrix Workspace app for Windows (Store) is not supported.

The native Workspace app communicates with the Citrix Workspace Web extension using the native
messaging host protocol for browser extensions. Together, the native Workspace app and the Work‑
space Web extension use Workspace connection leases to give browser users access to their apps and
desktops during outages.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 214

Citrix Workspace

This video shows how to install and use service continuity in browser.

This is an embedded video. Click the link to watch the video

User device setup for browser users

To use service continuity in a browser, users must perform the following steps on their devices:

1. Download and install a version of Citrix Workspace app that is supported for browser users.

2. Download and install the Citrix Workspace Web extension for Chrome or Edge.

Browser user experience

When users click their apps or desktops, the app or desktop opens without users being prompted to
open the Citrix Workspace launcher.

Browser user experience during outages

Users can access their apps and desktop from the Workspace web client in a browser despite network
outages. If users encounter authentication issues due to network outages, the following prompt ap‑
pears as a pop‑up on the webpage after 60 seconds.

This prompt is optional, allowing users to choose whether to use offline mode based on their prefer‑
ence. Additionally, the prompt is movable, allowing users to drag it to any location on the webpage.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 215

Citrix Workspace

To access available apps and desktops offline, users can click Use offline mode.

To manage the offline mode prompt, click the Citrix Workspace Web extension in the browser on the
user device. The following screen appears:

Enable or disable the offline mode prompt by clicking the Login Timeout toggle.

Users can use the Work Offline option to manually switch to offline mode without waiting 60 seconds
for the offline mode prompt. This option is also useful in the case where user has disabled Login Time‑
out. To manage Work Offline feature, click the button labeled Go to [Workspace store name].

During some outages, the warning window prompting users to work offline appears automatically
when the extension detects Workspace‑side issues. The user doesn’t need to take any action or wait
through the login timeout interval.

Once the network is back online after the outage, users can click Reconnect to Workspace to recon‑
nect the Workspace back to online. The following message appears on the Workspace web client when
a user is accessing apps and desktops offline or if an outage occurs while the user is accessing apps
and desktops online.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 216

Citrix Workspace

Browser limitations

If users clear cookies and other site data in their browsers during an outage, service continuity doesn’
t work until they authenticate to Workspace again.

Unless the user enables the extension to work in incognito mode, service continuity isn’t supported
in incognito mode.

Troubleshooting for browser users

In the Advanced menu of the Citrix Workspace browser app account settings, ensure the current
method for app and desktop launch preference is set to Use Citix Workspace App. If this option
is set to Use Web Browser, service continuity isn’t supported in the browser.

Ensure that the extension icon in the browser appears green after the browser loads the Workspace
URL.

To download logs, click the extension icon in the browser. Then click Download Logs.

Enable single sign‑on for workspaces with Citrix Federated

Authentication Service

November 27, 2023

Citrix Federated Authentication Service (FAS) supports single sign‑on (SSO) to DaaS in Citrix Work‑
space. FAS is typically adopted if you’re using one of the following identity providers for Citrix Work‑
space authentication:

• Azure Active Directory

• Okta
• SAML 2.0
• Citrix Gateway
• Google Cloud Identity

With FAS, subscribers enter their credentials only once to access their DaaS apps and desktops.

FAS isn’t needed for SSO to DaaS if you’re using Active Directory (AD), AD plus Token, or specific config‑
urations of Citrix Gateway. For more information on configuring Citrix Gateway, visit Create an OAuth
IdP policy on the on‑premises Citrix Gateway.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 217

Citrix Workspace

FAS servers

Within each resource location, you can connect multiple FAS servers to Citrix Cloud for load balancing
and failover purposes.

Citrix Cloud supports using FAS servers in the following scenarios.

In both scenarios, subscribers signing in to their workspaces through a federated identity provider
enter their credentials only once to access apps and desktops.

FAS servers connected with a single resource location

If your resource locations contain varied infrastructure (for example, different resource locations con‑
tain different AD forests), deploy FAS servers to the resource location where your VDAs are. SSO is
active only in resource locations where one or more FAS servers are connected.

FAS servers connected with multiple resource locations

If you have network connectivity between your resource locations and they contain similar infrastruc‑
ture, you can connect your FAS servers with multiple resource locations. SSO is active for workspace
subscribers who connect to apps and desktops in those resource locations. In this scenario, there’s
no need to connect separate FAS servers to each resource location.

When subscribers launch a virtual app or desktop, Citrix Cloud selects a FAS server in the same re‑
source location as the app or desktop that is being launched. Citrix Cloud contacts the selected FAS
server to obtain a ticket that grants access to a user certificate stored on the FAS server. To authenti‑
cate the subscriber, the VDA connects to the FAS server and presents the ticket.

You can use the same FAS server for both on‑premises and Citrix Cloud with proper rule configura‑
tion.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 218

Citrix Workspace

Failover priority for multiple resource locations

When using FAS servers with multiple resource locations, FAS servers in one resource location can
provide failover to FAS servers in other resource locations. When you add FAS servers to other resource
locations, you designate each server as primary or secondary. When subscribers launch a virtual app
or desktop, Citrix Cloud uses this designation in the following manner to select a FAS server:

• FAS servers that are designated as primary in the given resource location are considered first.
• If no primary servers are available, FAS servers that are designated as secondary are considered.
• If no secondary servers are available, the launch continues but single sign‑on doesn’t occur.

Video overview

For an overview of the Federated Authentication Service for Citrix Workspace, view this Tech Insight
video:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 219

Citrix Workspace

Requirements

Connectivity requirements

Use the FAS administration console to connect a FAS server to Citrix Cloud. You can use this console to
configure a local or remote FAS server. To enable SSO for workspaces with FAS, the FAS administration
console and FAS service access the following addresses using the console user’s account and Network
Service account, respectively.

• FAS administration console, using the console user’s account:

– *.cloud.com
– *.citrixworkspacesapi.net
– Addresses required by a third party identity provider, if one is used in your environment

• FAS service, using the Network Service account:

– *.citrixworkspacesapi.net
– https://*.citrixnetworkapi.net/

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 220

Citrix Workspace

If your environment includes proxy servers, configure the user proxy with the addresses for the FAS
administration console. Also, ensure that the address for the Network Service Account is configured
as appropriate for your environment.

FAS system requirements

The requirements in this section apply to all FAS servers that you plan to connect with Citrix Cloud.

Complete system requirements for the FAS server are described in the System Requirements section
of the FAS product documentation.

FAS servers in your on‑premises Citrix Virtual Apps and Desktops environment must have Federated
Authentication Service 2003 (Version 10.1) or later installed.

If your existing FAS server is older than Version 10, you can download the latest FAS software from Cit‑
rix and upgrade the server in‑place before creating this connection. When you create the connection,
you select the resource location for your FAS server. SSO is active for subscribers only in the resource
locations where FAS servers are present.

For more information about upgrading an existing FAS server, see Install and configure in the FAS
product documentation. The same FAS server can be used for Workspace and on‑premises deploy‑
ments.

Citrix Workspace

You must have Citrix DaaS provisioned and enabled in Workspace. By default, the DaaS is enabled in
Workspace Configuration after you subscribe to the service. However, the service requires that you
deploy Citrix Cloud Connectors to allow Citrix Cloud to communicate with your on‑premises environ‑
ment.

Cloud Connectors

Citrix Cloud Connectors enable communication between your resource location (where the VDAs are)
and Citrix Cloud. Deploy at least two Cloud Connectors to ensure high availability. The servers on
which you install the Cloud Connector software must meet the following requirements:

• System requirements as described in Cloud Connector Technical Details

• No other Citrix components are installed, the server isn’t an Active Directory domain controller,
and isn’t a machine critical to your resource location infrastructure.
• Joined to the domain where your VDAs are.

For more information about deploying Cloud Connectors, refer to the following articles:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 221

Citrix Workspace

• Cloud Connector Proxy and Firewall Configuration

• Cloud Connector Installation

Setup overview

1. If you’re deploying new FAS servers, review the Requirements and follow the instructions in
Install and configure FAS in this article.
2. Connect your FAS server to Citrix Cloud as described in Connect a FAS server to Citrix Cloud in
this article. Completing this task connects your FAS server to a single resource location.
3. If you plan to connect your FAS server to multiple resource locations, follow the instructions in
Add a FAS server to multiple resource locations in this article.

Install and configure FAS

Follow the FAS installation and configuration process described in the FAS product documentation.
The configuration steps for StoreFront and the Delivery Controller aren’t required.

Tip:

You can also download the Federated Authentication Service installer from the Citrix Cloud con‑
sole:

1. From the Citrix Cloud menu, select Resource Locations.

2. Select the FAS Servers tile and then click Download.

Connect FAS servers to Citrix Cloud

Use the FAS administration console to connect your FAS server to Citrix Cloud as described in Install
and configure in the FAS product documentation.

After you complete the Connect to Citrix Cloud configuration step, Citrix Cloud registers the FAS
server and displays it on the Resource Locations page in your Citrix Cloud account.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 222

Citrix Workspace

If you already have the Resource Locations page loaded in your browser, refresh the page to display
the registered FAS server.

Support for Cloud notifications

FAS now supports Cloud notifications. With the new Cloud notifications for FAS servers, you receive
notifications in the following instances:

• A FAS server is down or unavailable.

• A FAS server’s Registry Authority (RA) certificate has expired or is about to expire.
• A new version of FAS is available to download.

Raising notifications

A periodic check for new notifications is done and raised in the Citrix Cloud management console. The
notifications appear under the bell icon on the upper right corner of the Citrix Cloud management
console. Select View All on the notification icon to view all the notifications. For more information,
see Notifications.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 223

Citrix Workspace

Note:

Once a notification is raised, it will be raised again periodically only if the issue is not resolved.

All notifications contain the FQDN of the impacted FAS server. The RA certificate expiry notification is
displayed only for the FAS servers with version 10.10.0.14 and later.

Add a FAS server to multiple resource locations

1. From the Citrix Cloud menu, select Resource Locations and then select the FAS Servers tab.
2. Locate the FAS server you want to manage, click the ellipsis (…) at the right side of the entry,
and then select Manage Server.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 224

Citrix Workspace

3. Select Add to a resource location and then select the resource locations that you want.

4. Select Primary or Secondary for the FAS server’s failover priority in each selected resource
location.
5. Select Save Changes.

To view the added FAS server, select Resource Locations from the Citrix Cloud menu and then select
the FAS Servers tab. A list of all FAS servers for all connected resource locations appears. To display
FAS servers for a specific resource location, select the resource location from the drop‑down list.

Change a FAS server’s failover priority

1. From the Resource Locations page, select the FAS Servers tile for the resource location you
want to manage.
2. Select the FAS Servers tab.
3. Locate the FAS server you want to manage, click the ellipsis at the right side of the entry, and
then select Manage server.
4. Locate the resource location with the priority you want to change and select the new priority
from the drop‑down list.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 225

Citrix Workspace

5. Select Save Changes.

Enable federated authentication for workspaces

1. From the Citrix Cloud menu, select Workspace Configuration and then select Authentication.
2. Click Enable FAS. This change might take up to five minutes to be applied to subscriber ses‑
sions.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 226

Citrix Workspace

Afterward, the Federated Authentication Service is active for all virtual app and desktop launches from
Citrix Workspace.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 227

Citrix Workspace

When subscribers sign in to their workspace and launch a virtual app or desktop in the same resource
location as the FAS server, the app or desktop starts without prompting for credentials.

Note:

If all FAS servers in a resource location are down or in maintenance mode, application launches
succeed, but single sign‑on isn’t active. Subscribers are prompted for their AD credentials to
access each application or desktop.

Remove a FAS server

To remove a FAS server from a single resource location:

1. From the Resource Locations page, select the FAS Servers tile for the resource location you
want to manage.
2. Select the FAS Servers tab.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 228

Citrix Workspace

3. Locate the FAS server you want to manage, click the ellipsis at the right side of the entry, and
then select Manage server.
4. Locate the resource location you want to remove and then click the X icon.

To remove a FAS server from all connected resource locations:

1. From the Citrix Cloud menu, select Resource Locations.

2. Locate the resource location you want to manage and then select the FAS Servers tile.
3. Locate the FAS server you want to remove, click the ellipsis at the right side of the entry, and
then select Remove FAS Server.

4. On the FAS administration console (on your on‑premises FAS server), in Connect to Citrix
Cloud, select Disconnect. Alternatively, you can uninstall FAS.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 229

Citrix Workspace

Troubleshooting

If the FAS server isn’t available, a warning message appears on the FAS Servers page.

To diagnose the problem, open the FAS administration console on your on‑premises FAS server and
inspect the status. For example, the FAS server isn’t present in the FAS server GPO:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 230

Citrix Workspace

If the FAS administration console indicates that the server is operating properly, but there are still VDA
logon problems, consult the FAS Troubleshooting Guide.

More information

Configuring Single sign‑on to Workspace app

Configure Citrix Workspace app using Global App Configuration service

November 14, 2024

You can configure Citrix Workspace app using Global App Configuration service (GACS). It helps you
manage the app settings for end users on both managed and unmanaged devices.
Settings can be configured for both cloud (Citrix Workspace) and on‑premises (Citrix StoreFront) en‑
vironments using one of the following methods:

• Global App Configuration service User Interface (UI):

– Configure settings for cloud stores

– Configure settings for on‑premises stores

• API: To configure settings using APIs, see Citrix Developer.

This service is supported on Windows, Mac, Linux (cloud store only), Android, iOS, HTML5, and
ChromeOS platforms.

Key benefits

The Global App Configuration service lets you perform the following functions from a centralized in‑
terface:

• Configure settings for both managed and unmanaged devices (Bring Your Own Devices)
• Configure settings for multiple stores
• Update and manage client app agents (for example, Endpoint Analysis, ZTNA) and third‑party
agents (for example, Zoom, Webex)
• Automatically update and manage the Citrix Workspace app version for end users
• Test the configuration before rolling it out to your end‑users

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 231

Citrix Workspace

How does the Global App Configuration service work?

The Global App Configuration service is a Citrix IP solution used to configure and manage client app
settings. It uses the following services and settings to provide a seamless experience to your end‑
users.

• AutoDiscovery services: It maps domains to store URLs, enabling your end users to sign in
using their email addresses. End users aren’t required to provide their store URLs at the time of
sign‑in.
• Auto‑update service and Agent management: Automatically updates Citrix Workspace app
to the specified version for your end users. You have the flexibility to configure different app
versions for different platforms.
• Client app settings and policies: All end‑user settings on Citrix Workspace app can be config‑
ured and set centrally. It includes settings such as login experience, security, authentication
options, virtual app, desktop settings.

Note:

With the release of Citrix Workspace app version 2402 for Windows and Mac, GACS serves settings
in two stages. Citrix Workspace app initially fetches certain settings that need to be applied be‑
fore user authentication, and the rest of the settings are applied after the successful authentica‑
tion.

Prerequisites

Before you configure the app settings, verify that the Citrix Workspace app version is equal to or higher
than the specified versions. For more information, refer to the following table.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 232

Citrix Workspace

Citrix Workspace app platform Minimum supported version

Windows Current Release ‑ 2106, LTSR ‑ 2203.1

Mac 2203.1
Linux 2408
iOS 2104
HTML5 2111
ChromeOS 2203
Android 2104

How to use the Global App Configuration service?

To configure settings:

1. Sign in the Citrix Cloud portal and navigate to Workspace Configuration > App configuration.
2. From the list of configured store URLs, select the store for which you want to map settings and
then click Configure.
3. Modify the app settings as per your organization’s policies.
4. Click Publish Drafts to save and publish your settings.

The user interface also provides the following options for a simplified user experience.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 233

Citrix Workspace

View a summary of configured settings

You can view a summary of the current configuration by clicking the View configured changes button.
It eliminates the need to expand and review each setting separately. A consolidated list of all the
configured settings allows you to perform a comprehensive review of the current configuration and
gauge the user impact.

Review unsaved changes

Perform a final review of your unsaved changes before publishing the configuration. The number of
unsaved settings is displayed on the UI and you can access this list by clicking the Review unsaved
setting(s) option. It enables you to make informed changes and maintain data accuracy.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 234

Citrix Workspace

You can also navigate to an unsaved setting by clicking the arrow.

Enhanced user interface

View the status of each setting without expanding it. The following tags are now displayed to facilitate
informed decision making at every step.

• Configured: Displays the number of platforms (client OS) for which the setting has already been
configured.

• Unsaved: Displays the number of settings that are configured but not yet saved

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 235

Citrix Workspace

Enhanced search option

The search experience has been enhanced to provide a robust and seamless experience. Admins can
now sign in to the cloud portal and locate the required settings on the App Configuration page with
ease. They can use the following search methods.

• Search using setting description

You can locate settings by entering keywords found within the setting’s description. It allows for a
more flexible search approach, using relevant terms associated with the desired setting.

• Search using API setting name

You can search for settings by entering the corresponding API setting name. This method allows for a
more precise and targeted search, enabling users to quickly find the specific setting they require.

View applicable platforms for each setting

Each setting now dynamically displays only those platforms to which it’s relevant and applicable. This
approach ensures that users are presented with a concise and tailored list of options.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 236

Citrix Workspace

Frequency of fetching updated settings

Once the configuration is published, it might take a few hours for the settings to be updated on the
client side.

• In the same session, settings are updated as follows.

Platform Maximum time required to update settings

Citrix Workspace app for Windows up to 6 hours

Citrix Workspace app for macOS up to 6 hours
Citrix Workspace app for Linux up to 6 hours
Citrix Workspace app for HTML5 up to 3 hours
Citrix Workspace app for ChromeOS up to 3 hours
Citrix Workspace app for iOS up to 6 hours
Citrix Workspace app for Android up to 6 hours

• For Windows and macOS, settings can be updated immediately if the end users exit and restart
their Citrix Workspace app.

• When an end user adds a store to their Citrix Workspace app, the settings for that store are up‑
dated automatically.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 237

Citrix Workspace

Order of precedence for application of settings

In addition to the Global App Configuration service, there are platform specific tools, such as GPO for
Windows, that can be used to configure end‑user settings.
In the event of a conflict between settings configured through the Global App Configuration service
and other platform tools, the settings are applied in the following order.

Platform Store type Order of precedence

Citrix Workspace app for
Windows
Citrix Workspace app for Mac
Citrix Workspace app for Linux
Citrix Workspace app for
HTML5
Citrix Workspace app for
ChromeOS
Citrix Workspace app for iOS
Citrix Workspace app for
Android
StoreFront and Cloud Group Policy Object (GPO) or
MDM > Global App
Configuration service
StoreFront and Cloud MDM > Global App
Configuration service >
UserDefaults
Cloud MDM > Global App
Configuration service
StoreFront Global App Configuration
service > Configuration.js
Cloud Global App Configuration
service
StoreFront Google Admin Policy > Global
App Configuration service >
Configuration.js
Cloud Google Admin Policy > Global
App Configuration service
StoreFront and Cloud Global App Configuration
service
StoreFront and Cloud Global App Configuration
service

Limitations

Only the first Global App Configuration service‑enabled store can fetch the setting.

Additional Resources

• Technical Brief on Global App Configuration service

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 238

Citrix Workspace

• FAQs: Global App Configuration service settings and behaviors

• Webinar recording: How to use Global App Configuration service
• Citrix Features Explained: Global App Configuration Service

Configure settings for cloud stores

December 20, 2024

Overview

You can configure Citrix Workspace app settings for cloud stores using the Global App Configuration
service (GACS). It helps admins configure and manage Citrix Workspace app for end users on both
managed and unmanaged devices. This service is supported on Windows, Mac, Android, iOS, HTML5,
and ChromeOS platforms.

Prerequisites

• The addresses <https://discovery.cem.cloud.us>, <https://gacs-discovery

.cloud.com>, and <https://gacs-config.cloud.com> must be contactable. It’s
required for the functioning of email‑based discovery and Global App Configuration services.

• Verify that you have access to a Citrix Cloud account. If not, you can create an account from
https://onboarding.cloud.com/. For more information, refer to Sign up for Citrix Cloud.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 239

Citrix Workspace

• Verify that you have a Workspace subscription.

Get started with configuration

You can sign in to your Citrix Cloud account and configure settings from Workspace Configuration >
App Configuration.
Before proceeding, verify if you have the following permissions.

• Workspace subscription: The Workspace subscription is required to create a Workspace URL.

If you don’t have a subscription, you can’t add and configure cloud stores. You’ll only be pre‑
sented with an option to configure on‑premises stores.

• Workspace URL: If you have a Workspace subscription but haven’t added your URL yet, you
are presented with the following screen. You can click Claim URL under the App Configuration
section to claim your URL.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 240

Citrix Workspace

Configure settings

You can configure settings for Citrix Workspace app from the Citrix Cloud portal. If multiple stores
have been configured for your organization, you can configure each of the stores separately.

1. Go to Citrix Cloud and sign in with your Citrix Cloud credentials.

2. Navigate to Workspace Configuration > App Configuration.

3. From the list of configured store URLs, select the store for which you want to map settings and
then click Configure.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 241

Citrix Workspace

4. Modify the settings for your preferred platforms as per your requirement.

5. Click Publish Drafts to save the settings.

Note:

It might take a few hours for the settings to be updated to the Citrix Workspace app clients. For
more information, see Frequency of fetching updated settings.

Manage settings for user group using configuration profiles

This section explains how administrators can use the configuration profile feature in the Global App
Configuration service (GACS) to configure settings for user groups who use cloud stores of Citrix Work‑
space app.

To get started with this feature, administrators need to verify that their Citrix Workspace app version
is compatible, as shown in the following table:

Citrix Workspace app platform Minimum supported version

Windows 2405
Mac 2405.11

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 242

Citrix Workspace

Configuration

For instructions on leveraging configuration profile to assign settings to a user group, see Manage
settings for user group using configuration profile.

Setup email based discovery

Email based discovery service allows end users to sign in automatically using their email addresses.
They aren’t required to furnish their store URLs.
To enable this service for cloud stores, you need to perform the following steps.

1. Claim a domain

2. Create a domain to URL mapping

Claim a domain

To claim a domain:

1. Go to <https://adsui.cloud.com>.

2. Navigate to Claims > Domains > Add Domain.

3. Enter the domain that you want to claim (example, ace.example.com).

4. Click Confirm.

5. Copy the DNS token displayed on the screen.

6. To create a DNS TXT record, go to the service‑provider portal and add the DNS token.

7. To start the verification process:

a) Navigate to Claims > Domains.

b) Go to the domain that you have added and click the ellipsis menu.

c) Select Verify Domain.

d) Click Start DNS Check.

Once the verification is completed, the status of your domain changes from pending to verified.

Note:

You can claim a maximum of 10 domains. If you want to claim more than 10 domains, contact
Citrix Support and provide your Customer ID and URL.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 243

Citrix Workspace

Create a domain to URL mapping

1. Navigate to Claims > Domains.

2. Go to the domain that you have added and click the ellipsis menu.
3. Click Add Another Server URL.
4. Enter the store URL that you want to map to this domain.
5. Click Save.

Note:

It is mandatory to include port number 443 in the store URL. For example, https://example
.cloud.com:443.

Configure settings for on‑premises stores

December 20, 2024

Overview

You can configure the Citrix Workspace app settings for on‑premises stores using the Global App Con‑
figuration service (GACS). It helps you configure and manage Citrix Workspace app for end users on
both managed and unmanaged devices. The Global App Configuration service is supported on Win‑
dows, Mac, Android, iOS, HTML5, and ChromeOS platforms.

Prerequisites

• The addresses <https://discovery.cem.cloud.us>, <https://gacs-discovery

.cloud.com>, and <https://gacs-config.cloud.com> must be contactable. It’
s required for the functioning of the email‑based discovery and Global App Configuration
service.

• Verify that you have access to a Citrix Cloud account. If you don’t already have an account, you
can create one from https://onboarding.cloud.com/. For more information, refer to Sign up for
Citrix Cloud.

• In an on‑premises environment, you must claim a URL before you can configure settings. For
more information, see Claim a URL.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 244

Citrix Workspace

Get started with configuration

To configure settings for an on‑premises store, sign in to your Citrix Cloud account and navigate to
Workspace Configuration > App Configuration. If you have claimed ownership for your StoreFront
URL, see the Configure settings section for more information.

If you haven’t claimed your StoreFront URL yet, you can claim it. For that, click Claim URL under
the App Configuration section to claim your URL. For more information, see the Claim a URL for on‑
premises stores section.

If you have not yet claimed ownership for your StoreFront URL, you are presented with the following
screen that prompts you to secure your URL before proceeding. For more information, refer to Claim
a URL for on‑premises stores.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 245

Citrix Workspace

Claim a URL for on‑premises stores

It’s mandatory to establish a claim to your URL before you start configuring the settings for it.

To claim a URL:

1. Go to <https://adsui.cloud.com/url> and sign in with your Citrix Cloud credentials.

2. Navigate to Claims > URLs > Add URL.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 246

Citrix Workspace

3. Enter the URL that you want to claim.

4. Click Confirm. The following Verify your URL pop‑up appears.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 247

Citrix Workspace

Note:

If the on‑premises environment does not have a NetScaler Gateway installed, you won’t
be able to perform the verification process (from Step 5 onwards). In this case, perform
Steps 1 through 4 as described in the preceding procedure and contact our Support team
with your Customer Id and the URL that you want to claim.

5. If you have a NetScaler Gateway installed in your on‑premises setup, you can verify your URL
using the following steps.

a) Copy the token that appears on the pop‑up.

b) Create and configure a responder action and responder policy within your NetScaler.

Note:

The Verify your URL pop‑up contains the steps that guide you to create and configure a
responder action and responder policy within your NetScaler.

a) Bind your responder policy globally.

b) Go to https://<customergatewayurl>/vpn/CitrixClaims to verify if your re‑
sponder policy is configured correctly.
c) Navigate back to Claims > URLs, and locate the URL that you added.
d) Click the ellipsis menu icon for the added URL.
e) Select Verify URL.
f) Click Start Claim Check to start the verification process.

Once the configuration is completed, the status of your domain changes from pending to veri‑
fied.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 248

Citrix Workspace

Configure settings

You can configure settings for Citrix Workspace app, once you’ve claimed the URL. If multiple stores
have been configured for your company, you can configure the settings for each of them separately.

1. Go to the Citrix Cloud portal and sign in using your credentials.

2. Navigate to Workspace Configuration > App Configuration.

3. From the list of configured StoreFront URLs, select the one for which you want to map settings,
and then click Configure.

4. Modify the settings for your preferred platforms as per your requirement.

5. Click Publish Drafts to save the settings.

Note:

It might take a few hours for the settings to be updated to the Citrix Workspace app clients. For
more information, see Frequency of fetching updated settings.

Manage settings for user group using configuration profiles

This section explains how administrators can use the configuration profile feature in the Global App
Configuration service (GACS) to configure settings for user groups who use on‑premise stores of Citrix

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 249

Citrix Workspace

Workspace app.

Prerequisites

To get started with this feature, the administrators need to meet the following prerequisites:

• Verify Citrix Workspace app version

• StoreFront server requirement
• Configure Cloud Connector or Connector Appliance for Active Directory Management
• Configure registration tool

Verify Citrix Workspace app version Verify your Citrix Workspace app version is equal to or higher
than the versions specified in the following table.

Citrix Workspace app platform Minimum supported version

Windows 2405
Mac 2405.11

StoreFront server requirement The minimum required version of the StoreFront server is
2203.0.3000.14.

Configure Cloud Connector or Connector Appliance for Active Directory Management The Cit‑
rix Cloud Connector and Connector Appliance are citrix components that serve as a channel for com‑
munication between Citrix Cloud and your resource locations. It enables the use of Active Direc‑
tory forests and domains within resource locations, thereby allowing administrators to access the
AD group information for managing configuration profiles.

To learn more about Citrix Cloud Connector, see Citrix Cloud Connector in the Citrix Cloud product
documentation.

To learn more about Connector Appliance, see Connector Appliance for Cloud Services in the Citrix
Cloud product documentation.

Configure registration tool Administrators need to download and run a registration tool on the
StoreFront server. The registration tool installs a certificate that establishes trust between the Store‑
Front server and GACS. As a result, GACS can collect information about the AD group they belong to
for managing configuration profiles.

The process involves the following steps:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 250

Citrix Workspace

1. Generate registration tool.

2. Download and run the registration tool.
3. Validate the registration tool.

Generate registration tool The registration tool is an executable file that needs to be run on the
StoreFront server hosted within the organization. This registers GACS as a trusted service to access
AD group information.

To generate the registration tool, do the following:

1. Navigate to Workspace Configuration > App Configuration.

2. Select your StoreFront URL, and click Manage configuration profiles.

3. On the Manage configuration profiles screen, click Generate to generate the registration tool.

Download and run the registration tool Download the registration tool: When the registration
tool is generated, the Download option becomes enabled, allowing the administrator to download
the tool. When the administrator clicks the Download option, the registration tool is downloaded in
an executable format.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 251

Citrix Workspace

Note:

The registration tool is downloaded as a .zip file bundled with a README file. The README file
provides detailed instructions to download and run the registration tool.

Run the executable file: Once the registration tool is downloaded, the administrator can then run the
registration tool to install a certificate on the StoreFront server hosted within the organization. This
certificate allows the server to trust GACS for the configuration profile management.

When you run the registration tool, you can decide whether to run the tool on a single store or all stores
of the StoreFront server. Once you run the tool, it modifies the web.config file of the StoreFront store’
s authentication service, which registers GACS as a trusted service.

Note:

The IIS restarts when the web.config file is modified due to the successful execution of the
registration tool.

Validate registration tool Following the successful execution of the registration tool, a .zip file is
downloaded containing an acknowledgment file and a text file. The text file provides the following
information extracted from the StoreFront server:

• Public Certificate: The public certificate enables GACS to process incoming secondary tokens
issued by the StoreFront server in order to provide authenticated, group‑based settings to the
client endpoint devices running Citrix Workspace app.

• Configuration Values: Various configuration values related to the store are extracted to main‑
tain consistency and ensure that the store operates correctly after any changes or recovery
steps.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 252

Citrix Workspace

The administrator has to validate whether the certificate registration is successful by following these
steps:

1. Upload the acknowledgment file.

2. Click Validate.

Once the validation of certificate registration is successful, the Registration validated message ap‑
pears.

1. Click the Close button, and you can see the Manage configuration profiles screen.

Configuration For instructions on leveraging configuration profile to assign settings to a user group,
see Manage settings for user group using configuration profile.

Setup email‑based discovery

Email based discovery service allows end users to sign in automatically using their email addresses.
They aren’t required to furnish their store URLs.
To enable this service for cloud stores, you need to perform the following steps.

1. Claim a domain

2. Create a domain to URL mapping

Claim a domain

To claim a domain:

1. Go to the AutoDiscovery service.

2. Navigate to Claims > Domains > Add Domain.

3. Enter the domain that you want to claim (for example, ace.example.com).

4. Click Confirm.

5. Copy the DNS token that appears on the screen to the clipboard.

6. To create a DNS TXT record, go to the service‑provider portal and add the DNS token.

7. To start the verification process:

a) Navigate to Claims > Domains.

b) Go to the domain that you added and click the ellipsis menu.
c) Select Verify Domain.
d) Click Start DNS Check.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 253

Citrix Workspace

Once the verification is completed, the status of your domain changes from pending to verified.

Note:

You can claim a maximum of 10 domains. If you want to claim more than 10 domains, contact
Citrix Support and provide your Customer ID and URL.

Create a domain to URL mapping

1. Navigate to Claims > Domains.

2. Go to the domain that you added and click the ellipsis menu.
3. Click Add Another Server URL.
4. Enter the store URL that you want to map to this domain and save.

Note:

It is mandatory to include port number 443 in the store URL. For example, https://
storefront.example.com:443.

Test channel configuration

July 7, 2024

You can test your configuration before enabling it for the end users. It helps you detect and resolve
any issues that might arise post deployment.
The testing capability significantly reduces the likelihood of disruptions or errors during the deploy‑
ment process and increases overall user satisfaction.
To test your configuration:

1. Go to the cloud portal and sign in with your Citrix Cloud credentials.

2. Navigate to Workspace Configuration > App Configuration.

3. From the list of configured store URLs, select the store for which you want to map settings and
then click Configure.

4. Click the drop‑down option and select Test Channel. It is set to Production by default.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 254

Citrix Workspace

5. Modify the settings for your preferred platforms as per your requirement.

6. You can then click Publish Drafts to publish your settings in the test channel.

Note:

The Global App Configuration service supports only two channels per store, one production (de‑
fault) and one test channel.

Configure channel support on end‑user devices

Windows

To test the configuration defined by admins on a Windows device, users need to create the following
registry.

1 Path- HKEY_CURRENT_USER\SOFTWARE\Citrix\Receiver
2 Name- AppConfigChannelName
3 Type- REG_SZ
4 Value- testrolloutchannel1

Mac

To test the configuration defined by the admin on a Mac device, users need to perform the following
steps.

1. Set the name of the Global App Configuration service test channel using the following com‑
mand:

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 255

Citrix Workspace

1 defaults write com.citrix.receiver.nomas GACSChannelName

testrolloutchannel1

2. Restart the Citrix Workspace Helper, using the following commands:

1 launchctl unload /Library/LaunchAgents/com.citrix.ReceiverHelper.

plist
2
3 launchctl load /Library/LaunchAgents/com.citrix.ReceiverHelper.
plist

Once the device restarts, the configuration for the test channel is fetched automatically.

iOS

To test the configuration defined by the admin on an iOS device, proceed as follows.

1. Sign in to the Citrix Workspace App.

2. Go to Settings > Advanced > App configuration.
3. Select the test channel.
4. You can now test the configuration defined by the admin.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 256

Citrix Workspace

Android

To test the configuration defined by the admin on an Android device, proceed as follows.

1. Sign in to Citrix Workspace app.

2. Go to Settings > Advanced > App Configuration.

3. Select the test channel.

4. You can now test the configuration defined by the admin.

Manage Citrix Workspace app versions

December 17, 2024

Overview

You can use the Citrix Workspace App Version setting to specify which Citrix Workspace app version
must be used by your end users for optimal results. You can set up a rule that updates the app to the
latest CR (Current Release) or LTSR(Long Term Service Release) version. You can also specify if the
upgrade must occur automatically or if the end user can update the app manually.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 257

Citrix Workspace

Note

This setting can be configured only for macOS and Windows OS.

To manage the app version settings, sign in to your Citrix Cloud console.

1. Navigate to Workspace Configuration > App Configuration.

2. Go to the Updates and Plug‑ins category.
3. Expand the Citrix Workspace app Version setting.

4. Select the Windows or Mac checkbox and then click Edit.

5. You can now customize the settings as explained in the Manage version settings section.
6. Save your settings.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 258

Citrix Workspace

Manage version settings

You can customize the Citrix Workspace app version settings to cover one of the following use cases.

Upgrade your end users automatically to the latest CR version

If you select the Use default settings checkbox, your end users are updated to the latest CR version.
The upgrade happens automatically at the beginning of the Delivery period, that is, as soon as a new
CR version is rolled out. For more information on Delivery period, see Delay Group.

Upgrade your end users automatically to the latest LTSR or CR version

The Automatically update to the latest version setting enables you to upgrade your end users to
the latest version. However, you must select the delivery period for the upgrade under Delay group
settings.

To use this option, you must first clear the Use default settings checkbox. Only then, you’ll be able to
select the Automatically update to the latest version setting. In the Update Type field, select LTSR
or CR.

The upgrade occurs as per your Delay group settings. For example, if you have selected Fast under
Delay group, the app is updated automatically as soon as a new version is rolled out. For more infor‑
mation on delivery period, see Delay group.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 259

Citrix Workspace

As the app is updated automatically to the latest version, the Maximum allowed version field is au‑
tomatically disabled.

Upgrade your end users to a specified CR or LTSR version

If you want to select a specific version that the end user must update to, proceed as follows.

1. Clear(disable) the Use default settings checkbox.

2. Clear(disable) the Automatically update to the latest version checkbox.

3. In the Update type field, select your preferred release type.

4. In the Maximum allowed version, select the version that you want to upgrade your end users
to. You can select the appropriate version from a list of 3 previous versions.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 260

Citrix Workspace

5. Under the Delay Group section, select the preferred delivery period. For more information on
delivery period, see Delay Group.

Delay Group

When a new version of the Citrix Workspace app is available, Citrix rolls out the update during a specific
delivery period. With this option, you can control at what stage during the delivery period you can
receive the update.

• Fast: Update rollout happens at the beginning of the delivery period.

• Medium: Update rollout happens at the mid‑delivery period.

• Slow: Update rollout happens at the end of the delivery period.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 261

Citrix Workspace

Automatic update timeframe

Administrators can now schedule automatic updates for Citrix products at any preferred time on their
Mac devices. During this specified time, software updates automatically or users receive notifications
on available updates. This feature is applicable for all Citrix updates on Mac platforms. The aim is
to minimize disruption to end users during their working hours, thereby providing an enhanced user
experience.

To enable this feature, do the following:

Note:

The feature is currently available only on the Mac platform.

1. Navigate to Workspace Configuration > App Configuration in Citrix Cloud.

2. Select the required store URL from the list.

3. Navigate to Configure > Updates and Plug‑ins, and click the Automatic update timeframe
setting.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 262

Citrix Workspace

4. Select the appropriate operating system, and click Edit to define the time window within which
automatic update occurs.

Update between: In this field, add the start time and end time between which you prefer to execute
the automatic update.
Note:

The difference between start and end time should be at least 1 hour and should be on the same
day.

Defer day count: In this field, mention the number of times users can postpone the automatic update.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 263

Citrix Workspace

When a user runs out of the allocated defer count, the automatic update occurs during the time frame
defined in the Update between fields.

Citrix Workspace app version

Administrators can schedule convenient date ranges during which an automatic update of Citrix Work‑
space app should roll out to their end users. This capability allows them to determine the rollout dates,
minimizing disruption to end users and improving the user experience.

To enable this feature, do the following:

Note: The feature is currently available only for Citrix Workspace app on the Mac platform.

1. Navigate to Workspace Configuration > App Configuration in Citrix Cloud.

2. Select the required store URL from the list.

3. Navigate to Configure > Updates and Plug‑ins, and click the Citrix Workspace app version
setting.

4. Select the appropriate operating system, and click Edit to configure the setting

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 264

Citrix Workspace

Maximum allowed version: Define the maximum software version you want to allow for the auto‑
matic update.

Roll out start date: Define the start date at which you prefer to start the automatic update of your
Citrix Workspace app. Once you set a date, the app doesn’t get updated even if a newer version of the
app is available.

Delivery period: Enter the number of days up to which the automatic update rolls out. The automatic
update process will complete within the specified delivery period. The delivery period is an increment
of 15.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 265

Citrix Workspace

Note:

Automatic updates occurs only after user sign in to Citrix Workspace app.

Automatic update management settings supports configuration profiles

The automatic update management settings such as Automatic update timeframe and Citrix Work‑
space app version are applicable for different user groups through configuration profiles.

To enable this feature, do the following:

Note:

The feature is currently available only on the Mac platform.

1. Navigate to Workspace Configuration > App Configuration in Citrix Cloud.

2. Select the required store URL from the list.

3. Navigate to Configure.

4. Select a configuration profile from the list.

5. Configure the settings Automatic update timeframe or Citrix Workspace app version as men‑
tioned in Automatic update timeframe and Citrix Workspace app version.

Manage plug‑ins using Global App Configuration service

July 8, 2024

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 266

Citrix Workspace

Overview

With Global App Configuration service, you can configure installation and update settings for plug‑ins
from a centralized platform. These plug‑ins must be built either by Citrix or its partners. The Global
App Configuration service UI provides admins a centralized platform to distribute plug‑ins across man‑
aged and personal devices.

Note:

Plug‑in installation or upgrade isn’t supported for LTSR releases.

If your store is GACS configured and end users have already added it to their Citrix Workspace app,
any change in the plug‑in setting is reflected as per the duration specified here. This means that after
you publish your changes, it might take a few hours for the settings to be updated on the client side,
depending on the platform.

After the configuration has been fetched on the client side, the Citrix Auto‑Update service installs the
plug‑in as per your Delay Group settings or within 24 hours, whichever is sooner.

Note:

End users can manually update to the latest version of the plug‑ins using the Check for updates
option in their system tray. This overrides any delay group settings.
However, this option also updates the Citrix Workspace app, either to the latest version or to the
version specified by the admins.

Supported plug‑ins can be found under the Updates and plug‑ins section on the GACS UI.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 267

Citrix Workspace

Citrix Endpoint Analysis Plug‑in

This setting helps you install and update the Citrix Endpoint Analysis plug‑in to the latest version for
your end users.

The Citrix Endpoint Analysis plug‑in enables you to run device‑posture checks on end‑user devices.
Citrix Device Posture service is a cloud‑based solution that helps admins to enforce certain require‑
ments that the end devices must meet to gain access to Citrix DaaS (virtual apps and desktops) or
Citrix Secure Private Access resources (SaaS, Web apps, TCP, and UDP apps).

You can configure your plug‑in settings as described in the Deployment mode settings section.

Note:

This plug‑in is available only on Windows and Mac platforms.

For more information, see Manage Citrix Endpoint Analysis client for Device Posture service.

Citrix Secure Access Agent

End users can easily access all their sanctioned private apps by installing the Citrix Secure Access agent
on their client devices.

With the additional support of client‑server apps within Citrix Secure Private Access, you can now
eliminate the dependency on a traditional VPN solution to provide access to all private apps for remote
users.

You can configure your plug‑in settings as described in the Deployment mode settings section.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 268

Citrix Workspace

Webex VDI AutoUpgrade Plug‑in

The Webex App VDI solution optimizes the audio and video for calls and meetings. With GACS, you
can manage the Webex VDI Plug‑in manager. The Webex VDI Plug‑in manager, in turn, installs and
manages the Webex plug‑in installed on the end‑user’s device.

Note:

This plug‑in is available only on the Windows platform.

The Webex VDI plug‑in installer engine is installed during the regular auto update of the Citrix Work‑
space app or when you check for updates manually.

Important:

Citrix only manages the installation and update of the Webex VDI Plug‑in manager. The Webex
plug‑in that is installed on the end‑user’s device is managed by Webex itself.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 269

Citrix Workspace

Configure plug‑in settings

Before proceeding, you must ensure that you’ve completed the steps listed in the Prerequisites sec‑
tion below.
You can then configure your plug‑in settings as described in the Deployment mode section.

Prerequisites The following steps must be followed for configuring the Virtual Channel:

1. Either disable or configure the Virtual Channel List policy on the Broker to allow Webex to use
the VC as documented here.
2. Enable Autoupgrade for the VDI plug‑in on the Virtual Desktop where the Webex App for VDI is
installed using the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Spark Native, set AutoUpgradeVDIPluginEn
=1

You can now sign in to your Citrix Cloud account and configure your plug‑in settings as described in
the Deployment mode settings section.

Webex VDI plug‑in compatibility with Webex app

Once the configuration is done, a refresh option appears in the menu on the Webex app running in the
VDI. Click the refresh option, the Webex app closes and the Webex VDI plug‑in is installed on the user’
s endpoint.

The Webex VDI plug‑in does not appear in the list of programs on Windows even after installation. To
check if the plug‑in is installed, you can run a Health Check on the Webex app running in the VDI.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 270

Citrix Workspace

Check the VDI section to verify if the plug‑in is installed. You can also verify if the plug‑in version is
compatible with the Webex app version.

The Webex VDI Plug‑in manager automatically installs the latest Webex plug‑in version which is com‑
patible with the end user’s Webex app. For more information on compatible versions, refer to Webex
Version support.

If the versions don’t match, check if you’ve disabled the Compatibility check on the VDI using the
steps below:

1. Go to HKEY_LOCAL_MACHINE\Software\Cisco Spark Native\.

2. Create a DWORD (32‑bit) registry key named VDIDisableCompatibilityVersionCheck
and give it one of these values:

1 - 0 — enables the version compatibility check (default)

2 - 1 — disables the version compatibility check

Zoom VDI Plug‑in Management

With GACS, you can manage the Zoom VDI Plug‑in manager. The Zoom VDI Plug‑in manager, in turn,
installs and manages the Zoom plug‑in installed on the end‑user’s device.

Important:

Citrix only manages the installation and update of the Zoom VDI Plug‑in manager. The Zoom
plug‑in that is installed on the end‑user’s device is managed by Zoom itself.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 271

Citrix Workspace

Configure plug‑in settings

Before proceeding, you must ensure that you’ve completed the steps listed in the Prerequisites sec‑
tion below.
You can then configure your plug‑in settings as described in the Deployment mode settings section.

Prerequisites

The following steps must be followed for configuring the Virtual Channel:

1. Either disable or configure the Virtual Channel List policy on the Broker to allow Zoom to use
the Virtual Channel as documented here.
2. Enable the virtual desktop for Zoom VDI plug‑in Management with registry key as documented
here.

You can configure your plug‑in settings as described in the Deployment mode settings section.

Once the configurations are done, open the Zoom app and keep it running on the VDI. The user should
see a pop up (prompt) after sometime (once the Zoom VDI plug‑in installer is downloaded on the user’
s endpoint) letting them know that the session will be disconnected to install the VDI plugin on the
endpoint. Upon clicking OK, Zoom would close the Citrix Session and proceed to install the plug‑in
on the user’s endpoint.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 272

Citrix Workspace

Microsoft Teams VDI Plug‑in Management

The Microsoft Teams VDI Plug‑in Manager optimizes the audio and video for calls and meetings. With
Global App Configuration service, you can manage the installation of Microsoft Teams Plug‑in Manager.
This Plug‑in Manager, in turn, installs and manages the Microsoft Teams Optimization plug‑in (VDI 2.0
or Slimcore engine) on the end‑user’s device.

Configure plug‑in settings

Before proceeding, you must ensure that you’ve completed the steps listed in the following Prereq‑
uisites section.

Prerequisites

Administrators are required to configure a new registry setting in the VDA to enable the new Microsoft
Teams to access the Citrix virtual channel. For more information, see the Note given in Optimization
for Microsoft Teams. This registry setting is not required if you’re using CVAD 2402 LTSR and above (or)
2203 LTSR CU5 and above.
You can now sign in to your Citrix Cloud account and configure your plug‑in settings as described in
the Deployment mode settings section.

For more information, see New VDI solution for Teams.

Note:

• Reconnect the session after the successful installation of the plug‑in on the end‑user device.
After that, Microsoft Teams VDI app needs to be restarted twice to enter VDI 2.0 mode.
• This plug‑in is available only on the Windows platform, and it is applicable starting with

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 273

Citrix Workspace

Citrix Workspace app for Windows version 2405.

• This plug‑in is only applicable to New Teams (Teams 2.x) and not Classic Teams.

Deployment mode settings

Sign in to your Citrix Cloud account and navigate to Workspace Configuration > App Configuration.
From the list of configured URLs, select the one for which you want to map settings, and click Config‑
ure. Under the Updates and Plug‑ins section, navigate to the desired plug‑in and click the expand
icon to view the applicable platforms. Select the platform that you want to configure the settings for
and click Edit.

• Install and update: Installs the latest version of the plug‑in on the end‑user’s device. It auto‑
matically updates the plug‑in to the latest version.

• Install only: Installs the latest version of the plug‑in on the end‑user’s device. It does not auto‑
update.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 274

Citrix Workspace

After you’ve selected the deployment mode, you must specify if the plug‑in installation or update must
require the end‑user’s intervention. You can select one of the following options.

• Install the plug‑in silently after the end‑user adds the store: The plug‑in is installed or up‑
dated to the latest version after the end user has added the store. The installation is completed
in the background and end users receive a notification once the installation or update is com‑
pleted. They can sign in and access their stores as usual.

• Install the plug‑in before the end user logs in: The end user will be unable to sign in to their
Citrix store until the installation is completed. Once the installation is completed, the end users

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 275

Citrix Workspace

receive a notification. End users are then redirected to authenticate and access the store. Up‑
grade occurs in regular auto update cycle.

Delay Group

• Fast: Update rollout happens at the beginning of the delivery period.

• Medium: Update rollout happens at the mid‑delivery period.
• Slow: Update rollout happens at the end of the delivery period.

Manage settings for user group using configuration profile

November 28, 2024

This section explains how to configure settings for user groups using the configuration profile feature
in Global App Configuration service (GACS).

Note:

This feature is currently available for cloud stores on Windows, Mac, Linux, Android, and iOS
platforms.

Introduction to user group and configuration profile

A user group is a collection of users that are created and managed by administrators. Configuring
settings for a user group ensures that all users within the user group have the same experience simul‑
taneously. You can create a user group through your organization’s identity provider (IdP) by leverag‑
ing the AD group information stored in the IdP. For more information on the list of supported identity
providers, see Configure Authentication.

A configuration profile is used to identify a collection of user groups and it represents a higher‑level
abstraction of user groups, with each configuration profile capable of containing multiple user groups.
If you need to configure some settings for a particular user groups, you can create a configuration
profile and add those user groups to it. You can choose any configuration profile and assign settings
to it, so that the experience is applied to all user groups within the configuration profile.

Note:

• You can create up to 20 configuration profiles.

• You can add up to 10 user groups in a configuration profile.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 276

Citrix Workspace

Set Priority

When a user group belongs to multiple configuration profiles, settings from the configuration profile
with the highest priority will be applied to that user or user group. The lower the value, the higher
the priority. For more information about setting a priority, see Create a configuration profile and Edit
priority.

Note:

We recommend leaving sufficient gaps between the priority of configuration profiles, such as
1000, 2000, 3000, etc. This makes it easier to insert new priority values later during the creation
of other configuration profiles without needing to edit the existing values.

Create a configuration profile

You can create a configuration profile in two different ways. Either from the App Configuration page
or from App Configuration > URL Configuration page.

Create configuration profile from Workspace Configuration page

1. Sign in to your Citrix Cloud account and navigate to Workspace Configuration > App Configu‑
ration.
2. Click Manage configuration profiles.
3. Click Create to create a configuration profile.
4. Enter the name, description, and priority of the configuration profile in the Name, Description,
and Priority fields respectively.
5. In the Search for user groups field, enter a keyword and search the user groups that you want
to add into this configuration profile. You can add the desired user groups by clicking the user
group from the search list.
6. Click Save.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 277

Citrix Workspace

Note:

Name and Priority are mandatory fields.

Create configuration profile from URL configuration page

1. Sign in to your Citrix Cloud account and navigate to Workspace Configuration > App Configu‑
ration > URL configuration. You can navigate to the URL configuration page by clicking on the
Configure button.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 278

Citrix Workspace

2. Click Manage configuration profiles, and then click Create.

For further instructions, see steps 3 –7 given in Create configuration profile from Workspace configu‑
ration page.

Edit a configuration profile

1. Navigate to Workspace Configuration > App Configuration.

2. Click Manage configuration profiles.
3. Select the configuration profile you want to delete from the given list.
4. Click Edit.
5. Update the relevant fields, and then click Save.

Edit priority of a configuration profile

1. Navigate to Workspace Configuration > App Configuration.

2. Click Manage configuration profiles.
3. Select the configuration profile you want to delete from the given list.
4. Click Edit priority.
5. Update the priority value, and click to update the value or click to cancel the changes.
6. Click Close.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 279

Citrix Workspace

Delete a configuration profile

To delete a configuration profile, you must reset all configured settings within the configuration profile.
The detailed steps are as follows:

1. Navigate to Workspace Configuration > App Configuration.

2. Click the Configure button, and select the appropriate configuration profile from the drop‑
down list.

3. Click Reset all to default.

4. Check the declaration, and click Reset all.

Note:

If you haven’t configured any settings for the configuration profile, you don’t have to reset
the settings. So, you can skip steps 2 –4 in that case.

5. Click Manage configuration profiles.

6. Select the configuration profile you want to delete from the given list.

7. Click Delete.

Note:

You can use the Edit, Delete, and Edit priority options from both Workspace Configuration
page and URL Configuration page.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 280

Citrix Workspace

Configure settings for configuration profiles

1. Sign in to your Citrix Cloud account and navigate to Workspace Configuration > App Configu‑
ration > URL configuration.

2. Select the appropriate configuration profile from the drop‑down list.

3. Configure relevant settings for the configuration profile.

Configure settings for storewide

This section describes two scenarios where you have to configure settings only for storewide.

Use case 1: Settings that can be configured only for storewide

Some settings cannot have a custom value for user groups. These settings are covered as part of
Storewide and appear inactive when accessed within the configuration profile. You can see a warning
message with an option to switch to the Storewide configuration page.

Alternatively, you can configure the settings for storewide using the following instructions.

1. Navigate to Workspace Configuration > App Configuration > URL configuration.

2. Select Storewide from the drop‑down list.

3. Configure relevant settings.

Use case 2: Configure settings for remaining users

If you haven’t grouped any users under a configuration profile, those remaining users are covered by
Storewide. To configure settings for such users, see steps 1 –3 given in Use case 1: Settings that can
be configured only for storewide.

Note:

When you configure a setting for both Storewide and a configuration profile, the configuration
profile holds the highest priority at the time of applying settings.

Clone settings across stores, channels, and configuration profiles

July 22, 2024

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 281

Citrix Workspace

Clone settings refers to the ability to duplicate settings which are already configured through Global
App Configuration service. Instead of going through the entire configuration process again, admin‑
istrators can simply clone the existing settings to save time and effort. This feature streamlines the
workflow, improves productivity, and maintains consistency.
GACS allows cloning of settings in the following scenerios:

• Between channels: Clone the configured settings from one channel to the other.
• Between configuration profiles: Clone the configured settings between configuration profiles
created within the store.
• From store to a configuration profile: Clone the configured settings in storewide to a config‑
uration profile.
• Between stores: Clone the configured settings from the current store to another store.

Note:

• Cloned settings overwrite the existing settings at the destination.

• Certain storewide‑only settings can’t be cloned to the configuration profile with From store
to a configuration profile option.
• Cloning between stores is possible only with stores of the same type. Both the source and
destination stores need to be either Workspace stores or StoreFront stores.

To use this feature, you need to:

1. Navigate to Workspace Configuration > App Configuration in your Citrix Cloud account.
2. Select the desired store from the given store list, and click the Clone Settings option.

3. Select a cloning type from the Clone Settings window, and click Next.
4. Select Cloning to and from information by selecting the appropriate details from the drop‑
down list.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 282

Citrix Workspace

See the following sections for more information about steps 3 and 4.

Clone settings between channels:

You can clone the settings between Production and Test Channel in Storewide.

Clone settings between configuration profiles:

You can clone the settings between two configuration profiles.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 283

Citrix Workspace

Clone settings from store to configuration profiles:

You can clone the settings from a store to a configuration profile.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 284

Citrix Workspace

Clone settings between stores:

You can clone the settings between stores.

5. Click Next.

6. Verify the configured clone settings on the Summary page, and click Clone.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 285

Citrix Workspace

You can see a notification following the successful cloning.

Citrix Workspace security overview

August 9, 2024

User Authentication

Citrix Workspace can be configured to use a wide range of authentication methods. For more details
see Configure authentication.

To configure session timeouts, see Customize security and privacy policies.

Client connectivity

Clients must connect to Citrix Workspace using HTTPS with TLS 1.2 or higher. For minimum client
versions and network connectivity requirements, see system requirements.

Citrix Workspace enables HTTP Strict Transport Security to require that web browsers only use
HTTPS.

App protection

You can use App protection to prevent screen capture and screen loggers. When using a web browser,
this requires Citrix web extensions.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 286

More information

• Secure Deployment Guide for the Citrix Cloud Platform: This guide provides an overview of secu‑
rity best practices when using Citrix Cloud and describes the information Citrix Cloud collects
and manages. This guide also contains links to comprehensive information about the Citrix
Cloud Connector.
• Technical security overview for Citrix DaaS.
• Citrix Trust Center: Provides the latest information on our approach to security, privacy, and
compliance.
Citrix Workspace

© 2024 Cloud Software Group, Inc. All rights reserved. This document is subject to U.S. and international copyright laws

and treaties. No part of this document may be reproduced in any form without the written authorization of Cloud Software

Group, Inc. This and other products of Cloud Software Group may be covered by registered patents. For details, please

refer to the Virtual Patent Marking document located at https://www.cloud.com/legal. Citrix, the Citrix logo, NetScaler, and

the NetScaler logo and other marks appearing herein are either registered trademarks or trademarks of Cloud Software

Group, Inc. and/or its subsidiaries in the United States and/or other countries. Other marks are the property of their

respective owner(s) and are mentioned for identification purposes only. Please refer to Cloud SG’s Trademark Guidelines

and Third Party Trademark Notices (https://www.cloud.com/legal) for more information.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 288