Citrix DaaS

Create delivery groups


A delivery group is a collection of machines selected from one or more machine catalogs. The delivery group can also specify which users can use those machines, plus the applications and desktops available to those users.

Creating a delivery group is the next step in configuring your deployment after creating a machine catalog. Later, you can change the initial settings in the first delivery group and create other delivery groups. There are also features and settings you can configure only when editing a delivery group, not when creating it.

Before creating a delivery group:

  • Review this section to learn about the choices you make and the information you supply.
  • Ensure that you have created a connection to the hypervisor, cloud service, or other resource that hosts your machines.
  • Ensure that you have created a machine catalog containing virtual or physical machines.

To launch the delivery group creation wizard:

  1. Sign in to Citrix Cloud. In the upper left menu, select My Services > DaaS.
  2. Select Manage.
  3. If this is the first delivery group being created, the console guides you to the correct selection (such as “Set up delivery groups to be displayed as services”). The delivery group creation wizard opens and walks you through the process.
  4. If you already created a delivery group and want to create another, follow these steps:

    1. From Manage > Full Configuration, select Delivery Groups in the left pane.
    2. To organize delivery groups using folders, create folders under the default Delivery Groups folder. For more information, see Create a group folder.
    3. Select the folder where you want to create the group, and then click Create Delivery Group. The group creation wizard opens.

The wizard walks you through the pages described in the following sections. The wizard pages that you see might be different, depending on the selections you make.

Step 1. Machines

To create a delivery group with single-session suspend-capable only VMs, select Make suspend capability required for this delivery group check box.


  • This feature is available only for single-session VMs for now.
  • If you don’t want to create a suspend-capable delivery group, select a machine catalog, and follow the rest of the delivery group creation wizard instructions.

Select a machine catalog and select the number of machines you want to use from that catalog.

Good to know:

  • At least one machine must remain unused in a selected catalog.
  • A catalog can be specified in more than one delivery group. However, a machine can be used in only one delivery group.
  • A delivery group can use machines from more than one catalog. However, those catalogs must contain the same machine types (multi-session OS, single-session OS, or Remote PC Access). In other words, you cannot mix machine types in a delivery group. Similarly, if your deployment has catalogs of Windows machines and catalogs of Linux machines, a delivery group can contain machines from either OS type, but not both.

  • A MCS delivery group can only add a MCS type catalog.
  • Citrix recommends that you install or upgrade all VDAs with the latest version, and then peform Change functional level for machine catalogs and delivery groups as needed. When creating a delivery group, if you select machines that have different VDA versions installed, the delivery group will be compatible with the earliest VDA version. For example, if one of the machines you select has VDA version 7.1 installed and other machines have a later version, all machines in the group can use only those features that were supported in VDA 7.1. This means that some features that require newer VDA versions might not be available in that delivery group.

  • The following compatibility checks are performed:
    • MinimumFunctionalLevel must be compatible
    • SessionSupport must be compatible
    • AllocationType must be compatible for SingleSession
    • ProvisioningType must be compatible
    • PersistChanges must be compatible for MCS and Citrix Provisioning
    • RemotePC catalog is only compatible with RemotePC catalog
    • AppDisk related check

Step 2. Load balancing (Preview)

To configure the load balancing settings while creating a delivery group:

  1. Log in to DaaS Premium.
  2. In the left navigation, click Delivery Groups.
  3. In the Delivery Groups page, click Create Delivery Group.
  4. In the Create Delivery Group wizard, click Next. The Machine wizard opens.
  5. In the Machines wizard, select a required machine catalog and click Next. The Load Balancing wizard opens.
  6. In the Load Balancing wizard, select the Override site-wide setting checkbox.
  7. Select the Horizontal load balancing or Vertical load balancing option as required and click Next.

load balancing settings while creating a delivery group

To configure the load balancing settings while editing an existing delivery group:

  1. Log in to DaaS Premium.
  2. In the left navigation, click Delivery Groups.
  3. Select a Delivery Group from the list and click Edit. The Edit Delivery Group wizard opens.
  4. In the Edit Delivery Group page, click Load Balancing.
  5. Select the Override site-wide setting checkbox.
  6. Select either Horizontal load balancing or Vertical load balancing option as required and click Save.

load balancing settings while editing a delivery group


When Vertical load balancing setting is applied, make sure that the Concurrent logon tolerance and Maximum number of sessions polices are configured appropriately.

Policy settings for Vertical Load Balancing while creating or editing a delivery group

For more information about load balancing at site level and delivery group level, see Load balance machines.

Step 3. Delivery type

This page appears only if you chose a machine catalog containing static (assigned) single-session OS machines. Choose either Applications or Desktops. You cannot enable both.

If you selected machines from a multi-session OS or single-session OS random (pooled) catalog, the delivery type is assumed to be applications and desktops. You can deliver applications, desktops, or both.

Step 4. AppDisks

Ignore this page. Select Next.

Step 5. Users

Specify the users and user groups who can use the applications and desktops in the delivery group.

Where user lists are specified

User lists are specified when you create or edit the following:

  • A deployment’s user access list, which is not configured through this console. By default, the application entitlement policy rule includes everyone. See the PowerShell SDK BrokerAppEntitlementPolicyRule cmdlets for details.
  • Delivery groups.
  • Applications.


When specifying a user list, you can select user accounts from any of the following identity providers to which your Citrix Cloud account is connected: Active Directory, Azure Active Directory (Microsoft Entra ID), or Okta.

The list of users who can access an application is formed by the intersection of the above user lists.

Authenticated and unauthenticated users

There are two types of users: authenticated and unauthenticated (unauthenticated is also called anonymous). You can configure one or both types in a delivery group.

  • Authenticated: To access applications and desktops, the users and group members you specify by name must present credentials such as smart card or user name and password to StoreFront or Citrix Workspace app. (For delivery groups containing single-session OS machines, you can import user data (a list of users) later by editing the delivery group.)

  • Unauthenticated (anonymous): For delivery groups containing multi-session OS machines, you can allow users to access applications and desktops without presenting credentials to StoreFront or Citrix Workspace app. For example, at kiosks, the application might require credentials, but the Citrix access portal and tools do not. An Anonymous Users Group is created when you install the first Delivery Controller.

    To grant access to unauthenticated users, each machine in the delivery group must have a multi-session OS VDA installed. When unauthenticated users are enabled, you must have an unauthenticated StoreFront store.

    Unauthenticated user accounts are created on demand when a session is launched, and named AnonXYZ, in which XYZ is a unique three-digit value.

    Unauthenticated user sessions have a default idle timeout of 10 minutes, and are logged off automatically when the client disconnects. Reconnection, roaming between clients, and Workspace Control are not supported.

The following table describes your choices on the Users page:

Enable access for Add/assign users and user groups? Enable the “Give access to unauthenticated users” check box?
Only authenticated users Yes No
Only unauthenticated users No Yes
Both authenticated and unauthenticated users Yes Yes

Restricting user or group access

You can also restrict use of a delivery group by adding users or user groups to the Allow list. Only users on the Allow list can access apps and desktops in the delivery group. You can also add users and user groups to a block list by clicking Add block list, which prevents users from using apps and desktops in the selected delivery group. A block list is meaningful only when used to block users in the allow list.

Step 6. Applications

Good to know:

  • You can add packaged applications to Single-session static and Remote PC Access delivery groups. The packages containing those applications are automatically mounted each time users sign in to their desktops or remote PCs.
  • By default, new applications you add are placed in a folder named Applications. You can specify a different folder. For details, see the Applications article.
  • You can change the properties for an application when you add it to a delivery group, or later. For details, see the Applications article.
  • If you try to add an application and one with the same name already exists in that folder, you are prompted to rename the application you are adding. If you decline, the application is added with a suffix that makes it unique within that application folder.
  • When you add an application to more than one delivery group, a visibility issue can occur if you do not have permission to view the application in all those delivery groups. In such cases, either consult an administrator with greater permissions or have your scope extended to include all the delivery groups to which the application was added.
  • If you publish two applications with the same name to the same users, change the Application name (for user) property. Otherwise, users see duplicate names in Citrix Workspace app.

Select the Add menu to display the application sources.

  • From Start menu: Applications that are discovered on a machine created from the image in the selected catalog. When you select this source, a new page launches with a list of discovered applications; select those you want to add and then select OK.
  • Manually: Applications located in the deployment or elsewhere in your network. When you select this source, a new page launches where you type the path to the executable, working directory, optional command line arguments, and display names for administrators and users. After entering this information, select OK.
  • Existing: Applications previously added to the deployment, perhaps in another delivery group. When you select this source, a new page launches with a list of discovered applications; select those you want to add and then select OK.
  • Application packages: Applications in App-V, MSIX, MSIX app attach, or FlexApp application packages. When you select this source, the Add Applications from Packages page launches. Select an application package source, select the applications you want to add from the resulting display, and then select OK


    To publish MSIX or MSIX app attach apps, the delivery group’s functional level must be 2106 or later. For FlexApp apps, the functional level must be 2206 or later. When a functional level requirement isn’t met, the corresponding options in the Application package source dropdown list are dimmed.

  • Application group: Application groups that exist in the deployment.

If an application source or application is not available or valid, it is either not visible or cannot be selected. For example, the Existing source is not available if no applications have been added to the deployment. Or, an application might not be compatible with the supported session types on machines in the selected machine catalog.

Step 7. App Protection

The following information is supplemental to the App protection article in the Citrix Virtual Apps and Desktops documentation. To use app protection in a Citrix DaaS deployment, follow the general guidance in that article, minding the following details.

  • You must have a valid Citrix Cloud subscription and valid app protection entitlements. To purchase the app protection feature, you can contact your Citrix sales representative.

  • App protection requires XML trust. To enable XML trust, go to Settings > Enable XML trust.

  • Regarding anti-screen-capturing:

    • On Windows and macOS, only the window of the protected content is blank. App protection is active when a protected window is not minimized.
    • On Linux, the entire capture is blank. App protection is active whether a protected window is minimized or not.

To configure the Contextual App protection:

  1. Click Delivery Groups in the left pane, select a Delivery Group and click Edit.
  2. Click App Protection on the left and the following options are available:

    Options Description
    Do not apply Select this option to not apply the setting.
    Apply to this delivery group Select Anti-keylogging and/or Anti key capturing options. Hover over each of these settings to read the details in the tool tip.
    Apply contextually

    To apply this setting, configure the access policy in the Access Policy settings page.
    1. Click Access Policy in the left pane and click Add.
    2. On the Add Policy page, do the following
      • i. Enter a Policy name and configure the settings as required.
      • ii. In the Filter and Value fields, enter the details and click Done. The new policy is listed in the App Protection page. Enable the required settings for this policy.
      • iii. Click Save.
  3. On the Delivery Group page, select the Delivery Group and click the Details tab at the bottom. The new App Protection settings applied are displayed.

Step 8. Desktops (or Desktop Assignment Rules)

The title of this page depends on the machine catalog you chose earlier in the wizard:

  • If you chose a catalog containing pooled machines, this page is titled Desktops.
  • If you chose a catalog containing single-session static machines and specified “Desktops” on the Delivery Type page, this page is titled Desktop Assignment Rules.
  • If you chose a catalog containing single-session static machines and specified “Applications” on the Delivery Type page, this page is titled Applications.

Select Add. In the dialog box:

  • In the Display name and Description fields, type the information to be displayed in Citrix Workspace app.
  • To add a tag restriction to a desktop, select Restrict launches to machines with this tag and then select the tag from the menu.
  • Using the radio buttons, you can either:
    • Allow everyone with access to this delivery group to use a desktop. All users in the delivery group can launch a desktop (for groups with pooled machines) or be assigned a machine when they launch the desktop (for groups with single-session static machines).
    • Restrict desktop use by adding users and user groups to the Allow list. Only users on the Allow list can access a desktop. You can also add users and user groups to a block list by clicking Add block list, which prevents users from using desktops in the selected delivery group. A block list is meaningful only when used to block users in the allow list.
  • If the group contains single-session static machines, specify the maximum number of desktops per user. This must be a value of one or greater.
  • Enable or disable the desktop (for pooled machines) or desktop assignment rule (for single-session static machines). Disabling a desktop stops desktop delivery. Disabling a desktop assignment rule stops desktop auto-assignment to users.
  • When you are finished with the dialog box, select OK.

Step 9. License assignment

Determine which license you want the delivery group to use. By default, the delivery group uses the site license. For more information, see Multi-type licensing.

Step 10: Local Host Cache setting

This setting is visible only for delivery groups containing power-managed single-session pooled machines.

By default, those machines are unavailable when in Local Host Cache (LHC) mode due to data exposure risks. To change the default behavior and make them available for new user connections when in LHC mode, select Keep resources available.

Alternatively, you can change the default behavior using PowerShell commands. For more information, see Application and desktop support.


Enabling access to power-managed single-session pooled machines can cause data and changes from previous user sessions being present in subsequent sessions.

Step 11. Summary

Enter a name for the delivery group. You can also (optionally) enter a description, which appears in Workspace app and in the Full Configuration management interface.

Review the summary information and then select Finish. If you did not select any applications or specify any desktops to deliver, you are asked if you want to continue.

More information