This article shows administrators how to configure workspaces for subscribers, who might be using one or more services available from Citrix Cloud.
The following addresses need to be contactable in order to properly operate and consume Citrix Workspace:
For a full listing of Citrix Cloud connectivity requirements, see Internet Connectivity Requirements.
Change access to workspace
In Citrix Cloud > Workspace Configuration > Access, the Workspace URL is ready to use. You enable the availability of individual service resources to your users, for example the Citrix Virtual Apps and Desktops service, from the Service Integrations tab. All new services that your organization subscribes to are disabled by default.
In Citrix Virtual Apps Essentials, Workspace Configuration is available from the Citrix Cloud menu after you create the first catalog.
Disable workspace integration for a service
You can disable workspace integration for specific services. This does not disable the workspace URL, however it disables the data and applications for a service.
To disable workspace integration for a service:
- Go to Workspace Configuration > Service Integrations.
- Select the ellipsis button (…) next to the service, and Disable.
Disabling workspace integration blocks subscriber access for that service. Subscribers will no longer have access to data and applications from that service in Citrix Workspace.
The Citrix App Essentials service, Citrix Desktop Essentials service, and Citrix Virtual Apps and Desktops service display as “Citrix Virtual Apps and Desktops service” in the Manage Service Integrations tab.
Customize the workspace URL
The first part of the workspace URL is customizable. You can change the URL from, for example,
The first part of the workspace URL represents the company or organization using the Citrix Cloud account, and must comply with the Citrix End User Services Agreement. Any misuse of a third party’s intellectual property rights including trademarks may result in the revocation and reassignment of the workspace URL and/or the suspension of the Citrix Cloud account.
From the Citrix Cloud menu, go to Workspace Configuration > Access, and select the Change link next to the workspace URL.
Guidance for new URLs:
- The customizable part of the URL (“newexample”) must be between 6 and 63 characters long. If you want to change the customizable part of the URL to fewer than 6 characters, please open a ticket in Citrix Cloud.
- Must consist of only letters and numbers.
- Cannot include Unicode characters.
- When you rename a URL, the old URL is immediately removed and no longer available.
- If you change the workspace URL, your subscribers cannot access their workspaces until the new URL is active (takes about 10 minutes). You’ll also need to tell them what the new URL is and manually update all local Citrix Receiver apps to use the new URL.
Provide secure access for your remote subscribers by adding Citrix Gateways or the Citrix Gateway service to the resource locations.
You can add Citrix Gateways from Workspace Configuration > Access > External Connectivity or from Citrix Cloud > Resource Locations.
The External Connectivity part of the Workspace Configuration > Access page is not available in Citrix Virtual Apps Essentials. The Citrix Virtual Apps Essentials service uses the Citrix Gateway service, which requires no additional configuration.
Change authentication to workspaces
Change how subscribers authenticate to their workspace in Workspace Configuration > Authentication > Workspace Authentication.
As an administrator, you can choose to have your subscribers (end users) authenticate to their workspaces using Active Directory or Azure Active Directory. These authentication options are available to any Citrix Cloud service, including access control.
Access control is a feature that delivers access for end users to SaaS, web, and virtual apps with a single sign-on (SSO) experience.
Switching authentication modes can take up to five minutes and causes an outage to your subscribers during that time. Citrix recommends limiting changes to the authentication methods to periods of low usage. If you do have subscribers logged on to Citrix Workspace using a browser or Citrix Workspace app, please advise them to close the browser or exit the app. After waiting approximately five minutes, they can log back on again using the new authentication method.
By default, Citrix Cloud uses Active Directory to manage subscriber authentication to workspaces. Using Active Directory requires that you have a Citrix Cloud Connector installed in the on-premises Active Directory domain. For more information about installing the Cloud Connector, see Cloud Connector Installation.
Azure Active Directory
Use of Azure Active Directory (AD) to manage subscriber authentication to workspaces has the following requirements:
- Azure AD with a user who has global administrator permissions.
- A Citrix Cloud Connector installed in the on-premises Active Directory domain. The machine must also be joined to the domain that is syncing to Azure AD.
- VDA version 7.15.2000 LTSR CU VDA or 7.18 current release VDA or higher.
- A connection between Azure AD and Citrix Cloud. For information, see Connect Azure Active Directory to Citrix Cloud. When syncing your Active Directory to Azure AD, the UPN and SID entries must be included in the sync. If these entries are not synchronized, certain workflows in Citrix Workspace will fail.
- If you are using Azure AD, do not make the registry change described in CTX225819. Making this change may cause session launch failures for Azure AD users.
- Adding a group as a member of another group (nesting) is not supported for federated authentication using Azure AD. If you do assign a nested group to a catalog, members of that group can’t access apps from the catalog.
After enabling Azure AD authentication:
- Manage users and user groups by using Citrix Cloud Library: Use only the Citrix Cloud Library to manage users and user groups. (Do not specify users and user groups when creating or editing Delivery Groups.)
- Added security: Users are prompted to sign in again when launching an app or a desktop. This is intentional and provides more security, because the password information flows directly from user’s device to the VDA that is hosting the session.
- Sign-in experience: Users have a different sign-in experience in Azure AD. Selecting Azure AD authentication provides federated sign-in, not single sign-on. Users sign in to workspace from an Azure sign-in page, however they may have to authenticate a second time when opening an app or desktop from the Citrix Virtual Apps and Desktops service. You can customize the sign-in experience for Azure AD. For information, see the Microsoft documentation. Any sign-in customizations (the logo) made in Workspace Configuration do not affect the Azure AD sign-in experience.
The following diagram shows the sequence of Azure AD authentication.
User sign-out experience
If Citrix Workspace times out in the browser due to inactivity, subscribers remain signed in to Azure AD. This is by design, to prevent a Citrix Workspace time out from forcing other Azure AD applications to close.
To close Citrix Workspace, use Settings > Log Off. That option completes the sign-out process from the workspace and Azure AD. If subscribers close the browser instead of using the Log Off option, they might remain signed in to Azure AD.
Customize the appearance of workspaces
To customize how subscribers see their workspace, change the settings in Workspace Configuration > Customize > Appearance and Save.
Changes to the workspace appearance take effect right away. Local Citrix Receiver apps may take around five minutes for the updated user interface to display.
The Workspace Preview does not show a preview if you are currently working with the older “purple” user interface.
|Logo||Required Dimensions||Max. size||Supported formats|
|Sign-in logo||350 x 120 pixels||2 MB||JPEG, JPG, or PNG|
|After sign-in logo||340 x 80 pixels||2MB||JPEG, JPG, or PNG|
Logos that do not match the required dimensions may appear distorted.
The Sign-in logo appears on the workspace sign-in form. You can replace the Workspace logo with your own. The colors and branding of the rest of the sign-in page are not affected.
Changes to the sign-in logo do not impact users who authenticate to their workspace using Azure Active Directory. For more information on how to add company branding to your sign-in page in Azure AD, see the Microsoft documentation.
The After Sign-in logo appears at the top left of the workspace.
The Content Branding colors change the header background, text and icon color, and the accent color in the workspace.
Customize workspace preferences
Customize how subscribers interact with their workspace in Workspace Configuration > Customize > Preferences.
Allow Favorites is available to customers who have access to Workspace Configuration and the new workspace experience.
Enabled (default). Workspace subscribers can add favorite apps (up to a maximum of 250) by selecting the star icon.
Disabled. Subscribers can’t select apps as favorites. Favorites are not deleted and can be recovered if you re-enable Favorites.
For some existing customers (new to workspace between December 2017 and April 2018), Allow Favorites defaults to Disabled. The administrator can decide when to enable this feature for their subscribers.
- If a subscriber adds more than the maximum (250) as a favorite, the “oldest favorite” app will be removed (or as close as possible to preserve the most recent favorites).
- Administrators can automatically add favorite apps for subscribers by using KEYWORDS: Auto and KEYWORDS: Mandatory. These settings are available in the Virtual Apps and Desktops service in Manage > Full Configuration > Applications.
- KEYWORDS: Auto. The application is added as a favorite, however subscribers can remove the favorite.
- KEYWORDS: Mandatory. The application is added as a favorite, however subscribers cannot remove the favorite. Mandatory apps do not display a star icon.
Automatically Launch Desktop
Automatically Launch Desktop is available to customers who have access to Workspace Configuration and the new workspace experience. This preference only applies to workspace access from a browser.
Disabled (default). Prevents Citrix Workspace from automatically starting a desktop when a subscriber signs in. Subscribers must manually launch their desktop after signing in.
Enabled. If a subscriber has only one available desktop, the desktop automatically launches when the subscriber signs in to the workspace. The subscriber’s applications aren’t reconnected, regardless of the workspace control configuration.
To enable Citrix Workspace to launch desktops automatically, subscribers accessing the site through Internet Explorer must add the workspace URL to the Local intranet or Trusted sites zones.