This article shows administrators how to configure workspaces for subscribers, who might be using one or more services available from Citrix Cloud.
The following addresses need to be contactable in order to properly operate and consume Citrix Workspace:
For a full listing of Citrix Cloud connectivity requirements, see Internet Connectivity Requirements.
Change access to workspace
In Citrix Cloud > Workspace Configuration > Access, the Workspace URL is ready to use. You enable the availability of individual service resources to your users from the Service Integrations tab. By default, the Virtual Apps and Desktops service and the Secure Browser service are enabled after you subscribe to them. All other new services that your organization subscribes to are disabled by default.
- In Citrix Virtual Apps Essentials, Workspace Configuration is available from the Citrix Cloud menu after you create the first catalog.
- Workspace does not support connections from legacy clients that use a PNAgent URL to connect to resources. If your environment includes these legacy clients, you must instead deploy StoreFront on-premises and enable legacy support. To secure these client connections, use Citrix Gateway on-premises instead of the Citrix Gateway service.
Disable workspace integration for a service
You can disable workspace integration for specific services. This does not disable the workspace URL, however it disables the data and applications for a service.
To disable workspace integration for a service:
- Go to Workspace Configuration > Service Integrations.
- Select the ellipsis button next to the service and then select Disable.
Disabling workspace integration blocks subscriber access for that service. Subscribers will no longer have access to data and applications from that service in Citrix Workspace.
The Citrix App Essentials service, Citrix Desktop Essentials service, and Citrix Virtual Apps and Desktops service display as “Citrix Virtual Apps and Desktops service” in the Manage Service Integrations tab.
Customize the workspace URL
The first part of the workspace URL is customizable. You can change the URL from, for example,
The first part of the workspace URL represents the company or organization using the Citrix Cloud account, and must comply with the Citrix End User Services Agreement. Any misuse of a third party’s intellectual property rights including trademarks may result in the revocation and reassignment of the workspace URL and/or the suspension of the Citrix Cloud account.
From the Citrix Cloud menu, go to Workspace Configuration > Access, and select the Edit link next to the workspace URL.
Guidance for new URLs:
- The customizable part of the URL (“newexample”) must be between 6 and 63 characters long. If you want to change the customizable part of the URL to fewer than 6 characters, please open a ticket in Citrix Cloud.
- Must consist of only letters and numbers.
- Cannot include Unicode characters.
- When you rename a URL, the old URL is immediately removed and no longer available.
- If you change the workspace URL, your subscribers cannot access their workspaces until the new URL is active (takes about 10 minutes). You’ll also need to tell them what the new URL is and manually update all local Citrix Receiver apps to use the new URL.
- You can change the workspace URL only when it is enabled. If the URL is disabled, you must re-enable it first. Re-enabling the workspace URL can take up to 10 minutes to take effect.
Disable the workspace URL
You can disable the workspace URL to prevent users from authenticating through Workspace. For example, you might prefer subscribers use an on-premises StoreFront URL to access resources or you want to prevent workspace access during maintenance periods.
Disabling or re-enabling the workspace URL can take up to 10 minutes to take effect. After the workspace URL is disabled, Citrix Cloud parks the domain so it can’t be accessed. Anyone visiting the URL receives a 404 message in their browser.
Disabling the workspace URL has the following effects:
- All service integrations are disabled. Subscribers will no longer have access to data and applications from all services in Citrix Workspace.
- You cannot customize the workspace URL. You must re-enable the URL before you can change it.
Provide secure access for your remote subscribers by adding Citrix Gateways or the Citrix Gateway service to the resource locations.
You can add Citrix Gateways from Workspace Configuration > Access > External Connectivity or from Citrix Cloud > Resource Locations.
The External Connectivity part of the Workspace Configuration > Access page is not available in Citrix Virtual Apps Essentials. The Citrix Virtual Apps Essentials service uses the Citrix Gateway service, which requires no additional configuration.
Change authentication to workspaces
Change how subscribers authenticate to their workspace in Workspace Configuration > Authentication > Workspace Authentication.
As an administrator, you can choose to have your subscribers (end users) authenticate to their workspaces using Active Directory, Active Directory plus token, or Azure Active Directory. These authentication options are available to any Citrix Cloud service, including access control.
Access control is a feature that delivers access for end users to SaaS, web, and virtual apps with a single sign-on (SSO) experience.
Switching authentication modes can take up to five minutes and causes an outage to your subscribers during that time. Citrix recommends limiting changes to the authentication methods to periods of low usage. If you do have subscribers logged on to Citrix Workspace using a browser or Citrix Workspace app, please advise them to close the browser or exit the app. After waiting approximately five minutes, they can log back on again using the new authentication method.
By default, Citrix Cloud uses Active Directory to manage subscriber authentication to workspaces. Using Active Directory requires that you have a Citrix Cloud Connector installed in the on-premises Active Directory domain. For more information about installing the Cloud Connector, see Cloud Connector Installation.
Active Directory plus token
For additional security, Citrix Workspace supports a token as a second factor of authentication in addition to Active Directory sign-in.
When you use Active Directory plus token authentication, Workspace prompts all subscribers during every sign-in to enter a token from their enrolled device. Currently, subscribers configured with Active Directory plus token authentication can enroll only one device at a time.
Active Directory plus token authentication has the following requirements:
- A connection between Active Directory and Citrix Cloud, with at least two Cloud Connectors installed in your on-premises environment. For requirements and instructions, see Connect Active Directory to Citrix Cloud.
- In the Citrix Cloud console, Active Directory + Token authentication enabled on the Identity and Access Management page. For more information, see To enable Active Directory plus token authentication.
- Subscribers need access to email to enroll devices.
- During first-time sign-in to Workspace, subscribers follow the prompts to download the Citrix SSO app. The Citrix SSO app generates a unique one-time password on an enrolled device every 30 seconds.
To re-enroll devices
If a subscriber no longer has their enrolled device or needs to re-enroll it (for example, after erasing all content from the device), Workspace provides the following options:
Subscribers can re-enroll their devices using the same enrollment process described in Device registration. Because subscribers can enroll only one device at a time, enrolling a new device or re-enrolling an existing device removes the previous device registration.
Administrators can search for subscribers by Active Directory name and reset their device. To do that, go to Identity and Access Management > Recovery. During the next sign-on to Workspace, the subscriber experiences the first-time enrollment steps described in Device registration.
Azure Active Directory
Use of Azure Active Directory (AD) to manage subscriber authentication to workspaces has the following requirements:
- Azure AD with a user who has global administrator permissions.
- A Citrix Cloud Connector installed in the on-premises Active Directory domain. The machine must also be joined to the domain that is syncing to Azure AD.
- VDA version 7.15.2000 LTSR CU VDA or 7.18 current release VDA or higher.
- A connection between Azure AD and Citrix Cloud. For information, see Connect Azure Active Directory to Citrix Cloud. When syncing your Active Directory to Azure AD, the UPN and SID entries must be included in the sync. If these entries are not synchronized, certain workflows in Citrix Workspace will fail.
- If you are using Azure AD, do not make the registry change described in CTX225819. Making this change may cause session launch failures for Azure AD users.
- Adding a group as a member of another group (nesting) is not supported for federated authentication using Azure AD. If you do assign a nested group to a catalog, members of that group can’t access apps from the catalog.
After enabling Azure AD authentication:
- Manage users and user groups by using Citrix Cloud Library: Use only the Citrix Cloud Library to manage users and user groups. (Do not specify users and user groups when creating or editing Delivery Groups.)
- Added security: Users are prompted to sign in again when launching an app or a desktop. This is intentional and provides more security, because the password information flows directly from user’s device to the VDA that is hosting the session.
- Sign-in experience: Users have a different sign-in experience in Azure AD. Selecting Azure AD authentication provides federated sign-in, not single sign-on. Users sign in to workspace from an Azure sign-in page, however they may have to authenticate a second time when opening an app or desktop from the Citrix Virtual Apps and Desktops service. You can customize the sign-in experience for Azure AD. For information, see the Microsoft documentation. Any sign-in customizations (the logo) made in Workspace Configuration do not affect the Azure AD sign-in experience.
The following diagram shows the sequence of Azure AD authentication.
Citrix Workspace supports using an on-premises Citrix Gateway as an identity provider to manage subscriber authentication to workspaces.
Citrix Gateway authentication has the following requirements:
- A connection between your Active Directory and Citrix Cloud. For requirements and instructions, see Connect Active Directory to Citrix Cloud.
- Subscribers must be Active Directory users to sign in to their workspaces.
- If you are performing federation, your AD users must be synchronized to the federation provider. Citrix Cloud requires the AD attributes to allow your users to sign in successfully.
- An on-premises Citrix Gateway:
- Citrix Gateway 12.1 54.13 Advanced edition or later
- Citrix Gateway 13.0 41.20 Advanced edition or later
- Citrix Gateway authentication is enabled on the Identity and Access Management page. This action generates the client ID, secret, and redirect URL required to create the connection between Citrix Cloud and your on-premises Gateway.
- On the Gateway, an OAuth IDP authentication policy is configured using the generated client ID, secret, and redirect URL.
For more information, see Connect an on-premises Citrix Gateway as an identity provider to Citrix Cloud.
Okta (Technical Preview)
Citrix Workspace supports using Okta as an identity provider to manage subscriber authentication to workspaces.
Okta authentication is currently in Technical Preview. Citrix recommends using technical preview features only in test environments.
Okta authentication has the following requirements:
- A connection between your on-premises Active Directory and your Okta organization.
- An Okta OIDC web application configured for use with Citrix Cloud. To connect Citrix Cloud to your Okta organization, you need to supply the Client ID and Client Secret associated with this application.
- A connection between your on-premises Active Directory domain and Citrix Cloud, with Okta authentication enabled on the Identity and Access Management page.
For more information, see Connect Okta as an identity provider to Citrix Cloud.
User sign-out experience
If Citrix Workspace times out in the browser due to inactivity, subscribers remain signed in to Azure AD. This is by design, to prevent a Citrix Workspace time out from forcing other Azure AD applications to close.
To close Citrix Workspace, use Settings > Log Off. That option completes the sign-out process from the workspace and Azure AD. If subscribers close the browser instead of using the Log Off option, they might remain signed in to Azure AD.
Customize the appearance of workspaces
To customize how subscribers see their workspace, change the settings in Workspace Configuration > Customize > Appearance and Save.
Changes to the workspace appearance take effect right away. Local Citrix Receiver apps may take around five minutes for the updated user interface to display.
The Workspace Preview does not show a preview if you are currently working with the older “purple” user interface.
|Logo||Required Dimensions||Max. size||Supported formats|
|Sign-in logo||350 x 120 pixels||2 MB||JPEG, JPG, or PNG|
|After sign-in logo||340 x 80 pixels||2MB||JPEG, JPG, or PNG|
Logos that do not match the required dimensions may appear distorted.
The Sign-in logo appears on the workspace sign-in form. You can replace the Workspace logo with your own. The colors and branding of the rest of the sign-in page are not affected.
Changes to the sign-in logo do not impact users who authenticate to their workspace using Azure Active Directory. For more information on how to add company branding to your sign-in page in Azure AD, see the Microsoft documentation.
The After Sign-in logo appears at the top left of the workspace.
The Content Branding colors change the header background, text and icon color, and the accent color in the workspace.
Customize workspace preferences
Customize how subscribers interact with their workspace in Workspace Configuration > Customize > Preferences.
Allow Favorites is available to customers who have access to Workspace Configuration and the new workspace experience.
Enabled (default). Workspace subscribers can add favorite apps (up to a maximum of 250) by selecting the star icon.
Disabled. Subscribers can’t select apps as favorites. Favorites are not deleted and can be recovered if you re-enable Favorites.
For some existing customers (new to workspace between December 2017 and April 2018), Allow Favorites defaults to Disabled. The administrator can decide when to enable this feature for their subscribers.
- If a subscriber adds more than the maximum (250) as a favorite, the “oldest favorite” app will be removed (or as close as possible to preserve the most recent favorites).
- Administrators can automatically add favorite apps for subscribers by using KEYWORDS: Auto and KEYWORDS: Mandatory. These settings are available in the Virtual Apps and Desktops service in Manage > Full Configuration > Applications.
- KEYWORDS: Auto. The application is added as a favorite, however subscribers can remove the favorite.
- KEYWORDS: Mandatory. The application is added as a favorite, however subscribers cannot remove the favorite. Mandatory apps do not display a star icon.
Automatically Launch Desktop
Automatically Launch Desktop is available to customers who have access to Workspace Configuration and the new workspace experience. This preference only applies to workspace access from a browser.
Disabled (default). Prevents Citrix Workspace from automatically starting a desktop when a subscriber signs in. Subscribers must manually launch their desktop after signing in.
Enabled. If a subscriber has only one available desktop, the desktop automatically launches when the subscriber signs in to the workspace. The subscriber’s applications aren’t reconnected, regardless of the workspace control configuration.
To enable Citrix Workspace to launch desktops automatically, subscribers accessing the site through Internet Explorer must add the workspace URL to the Local intranet or Trusted sites zones.
Use the Workspace Timeout preference to specify the amount of idle time allowed (up to a maximum of 8 hours) before subscribers are automatically signed out of Citrix Workspace. This preference applies to browser access only, and does not apply to access from a local Citrix Workspace app.
Citrix Workspace Preferences
Citrix Workspace Preferences is available to customers who have access to Workspace Configuration and the new workspace experience. This preference applies to the way users open apps and desktops delivered by Citrix Virtual Apps and Desktops only (service, or on-premises from the Site aggregation feature). It does not apply to, for example, SaaS apps delivered by the Citrix Gateway service. This preference is available to new and existing customers, however the introduction of this feature will not change any settings for existing customers.
- In a native app (default). Uses a locally installed version of Citrix Workspace – gives the best experience for the platform the user is on.
- In a browser. Uses Citrix Workspace for HTML5 – no client software is required.
- Let users choose. Prompts users to detect a locally installed version of Citrix Workspace, or to use Citrix Workspace for HTML5 in their browser where possible.
For the In a native app and Let users choose options, there is an additional check box option to guide users to install the latest version of Citrix Workspace if a local app can’t be detected automatically. Removing this selection makes sense if your users don’t have rights to install software.