Customize security and privacy policies

This article provides guidance on how to customize the sign-in experience after you’ve already configured workspace access and authentication.

For an overview on configuring workspace access and authentication, visit Configure access. For information on how to configure subscriber authentication to workspaces, visit Secure workspaces.

Create a unified user sign-in flow

The default sign-in experience is a split screen for employee users and client (external) users.

To remove the split screen, navigate to Workspace Configuration > Authentication > Unified user sign in flow and select Enable. Enabling this feature presents all users with the same sign-in option.

Set inactivity timeout for Web and Workspace app desktop and mobile

Use the Inactivity Timeout for Web setting in Workspace Configuration > Customize > Preferences to specify the amount of idle time allowed (a maximum of 8 hours) before subscribers are automatically signed out of Citrix Workspace. You can also enable inactivity timeout for the Workspace app on desktop and mobile by selecting the appropriate setting.

Unlike manual sign-out, which disconnects DaaS sessions, subscribers stay connected to their DaaS sessions even after timeout due to inactivity.

Set a reauthentication period for Citrix Workspace app

Use the Reauthentication period for Workspace app setting in Workspace Configuration > Customize > Preferences to specify the length of time subscribers can stay signed in to Citrix Workspace app before needing to sign in again.

By default, this setting requires subscribers to sign in every 24 hours (one day). You can specify a longer reauthentication period of up to 365 days. Longer reauthentication periods require subscriber consent to stay signed in. Users provisioned after September 27, 2021, a period of 30 days is required for subscribers to sign in again.

During the reauthentication period that you set, subscribers stay signed in unless they’re inactive for 14 or more days at a time. If a subscriber is inactive for 14 or more days, they’re prompted to reauthenticate the next time that they attempt to access their workspace.

You can invalidate the session for your subscribers by downloading this PowerShell script and following the instructions included in the download. Once you’ve invalidated sessions, subscribers must reauthenticate to their workspaces in the next 24 hours.

If you need to set the reauthentication period for Citrix Workspace app to less than 24 hours, you can do so via PowerShell. For more information, see Steps to configure InactivityTimeoutInMinutes.

Supported Workspace app clients

The following versions of Citrix Workspace app support this feature:

• Workspace app 2106 for Windows or later
• Workspace app 2106 for Mac or later
• Workspace app for 21.6.5 iOS or later
• Workspace app for 21.6.0 Android or later

Supported authentication methods

Staying signed in to Citrix Workspace app is supported for the following authentication methods:

• Active Directory
• Active Directory plus token
• Azure Active Directory
• Citrix Gateway
• Okta

Note:

For the same experience as a Citrix DaaS customer using Okta or Azure Active Directory, configure the Citrix Federated Authentication Service (FAS). For more information about FAS, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.

Subscriber experience for staying signed in

When subscribers sign in to Workspace on their device, Workspace prompts them to consent to staying signed in.

When the subscriber selects the Allow option, they stay signed in during the reauthentication period. If no activity is detected on a subscriber’s device for four days, the subscriber is automatically prompted to reauthenticate. After they sign in to the Citrix Workspace app, the reauthentication period remains in effect as long as they’re using their apps and desktops on the device.

If the subscriber selects Deny, Workspace prompts the subscriber to sign in again. Afterward, Workspace prompts the subscriber to sign in again after 24 hours have passed.

If the subscriber’s password changes, the subscriber must sign out and sign in again through Citrix Workspace app for the reauthentication period to continue to work.

Allow subscribers to change their account password

Note:

This feature is being rolled out to customers incrementally. You might not be able to view the feature until the rollout process is complete.

Citrix aims to deliver new features and product updates to Citrix Workspace customers when they’re available. This process is transparent to you. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally helps ensure product quality and maximize availability.

The Allow Account Password to be Changed setting in Workspace Configuration > Customize > Preferences controls whether subscribers can change their domain password from within Citrix Workspace. You can also provide guidance to subscribers so that they can create valid passwords in line with your organization’s password policy.

When enabled (default), subscribers can change their password at any time, based on your organization’s Active Directory settings. If disabled, Workspace prompts subscribers to change their password when it expires, but they can’t change their unexpired password within Workspace.

Supported authentication methods

• Active Directory
• Active Directory plus token

Supported Workspace app clients

The following versions of Citrix Workspace app support this feature:

• Workspace app for Windows 2101 or later
• Workspace app for Mac 2012 or later
• Workspace app for Chrome 2010 or later
• Workspace app for HTML5 2101 or later
• Workspace app for Android 21.1.0 or later

Subscribers can also use this feature when accessing workspaces with the latest version of Edge, Chrome, Firefox, or Safari web browsers.

This feature isn’t supported on the following:

• Older versions of Citrix Workspace app
• Citrix Workspace app for Linux

Password guidance

You can add up to 20 password requirements to meet your organization’s security policy and that your identity provider enforces. Workspace displays these requirements as a guide when subscribers change their password from their Account Settings page in Workspace. If you don’t add any password requirements, Workspace displays the message “Your organization’s password requirements still apply.”

Important:

Citrix Workspace doesn’t validate new passwords that your subscribers enter. If a subscriber tries to change their valid password to an invalid one through Workspace, your identity provider rejects the new password. The existing password isn’t changed.

To add password requirements:

1. Navigate to Workspace Configuration > Customize > Preferences.
2. Under Allow Account Password to be Changed, check that the setting is in the enabled state. If disabled, enable the setting.

3. Select Add a password requirement.

   

4. Enter a requirement that matches your organization’s security requirements for valid passwords. For example, you can specify that a password must be a certain character length. Select Add a password requirement to add more items for subscribers when they change their password.

   

5. When you’re finished adding requirements, select Save.

6. Select Save again to save all your setting changes.

   

Subscriber experience when changing passwords

Tip:

To increase awareness of this feature with your subscribers, consider including a recommendation in your internal knowledgebase for subscribers to change their domain passwords through Workspace. Download pdf file for instructions you can include in your own communications and knowledgebase articles.

When Allow Account Password to be Changed is enabled, subscribers can change their password in Workspace by going to Account Settings > Security & Sign in.

Select View Password Requirements to display all the requirements you entered in Workspace Configuration.

Subscribers are automatically signed out of Workspace after changing their password and must sign in again with their new password.

Send custom announcements

Send a custom announcement to display a time-limited message of your choosing, such as an upcoming maintenance window.

The custom announcement is displayed for all subscribers in all clients including web and mobile devices. Subscribers see the message after they sign in. Subscribers can’t dismiss this announcement, but they can minimize it on their mobile device.

1. From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences > Send custom announcement > Configure.
2. Enter the title and text of the message that you want to display, and select the dates, times, and placement (top or bottom) for displaying the message to subscribers.
3. To view how your message appears to subscribers, select Preview.
4. When you’re finished, select Save.

Configure a sign-in policy

Create a custom sign-in policy to inform subscribers of your organization’s End-User License Agreement (EULA) when they sign in to their workspace.

When enabled and configured, the sign-in policy is displayed in all clients including web and mobile devices. Subscribers can see the sign-in policy when they sign in. Subscribers can’t bypass the policy and must accept it to sign in to their workspace.

1. From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences.
2. In the Sign in policy section, select Configure. If a policy exists, the button reads Edit, instead.
3. Enable the feature using the toggle under Enable policy.
4. In Policy header, enter a title for the policy.
5. Enter the policy text that subscribers must agree to before signing in. If needed, add localized text for other languages in the same text box.

6. Enter a name for the button that subscribers must select to agree to the policy.

   

7. Select Preview to see what the policy looks like for subscribers.
8. When you’re finished, select Save.

Note

If you have Citrix Gateway configured as your Workspace identity provider, you might already have a sign-in policy as part of your AAA and nFactor authentication flow. Citrix recommends that you configure only one sign-in policy, either as part of your existing nFactor authentication flow or outside the flow using the Citrix Cloud administration console.