Citrix SSO for iOS and macOS devices

The legacy Citrix VPN client was built using Apple’s private VPN APIs that is now deprecated. VPN support in Citrix SSO is rewritten from the ground up using Apple’s public Network Extension framework.


Citrix SSO for macOS is supported on 10.15 (Catalina), 11.x (Big Sur) and 12.x (Monterey). It supports devices with Intel chips and M1 chips.

Users with hardware which cannot be upgraded to one of the earlier mentioned versions (macOS 10.15 and macOS 11.0) have access to the last compatible version on the App Store, but there is no further updates to the older versions.

End-of-life (EOL) for older versions of macOS is planned for Q1 2021.

Following are some of the major features introduced with the Citrix SSO app:

  • Password tokens: A password token is a 6-digit code which is an alternative to Secondary Password Services such as VIP, OKTA. This code uses the Time-based One Time Password (T-OTP) protocol to generate the OTP code similar to services such as Google Authenticator and Microsoft Authenticator. Users are prompted for two passwords during authentication to Citrix Gateway for a given Active Directory user. The second factor is a changing six-digit code that users copy from a registered third-party service such as Google or Microsoft Authenticator into the desktop browser. Users must first register for T-OTP on the Citrix ADC appliance. For registration steps, refer On the app, users can add the OTP feature by scanning the QR Code generated on Citrix ADC or manually entering the TOTP secret. OTP Tokens once added show up on the Password Tokens segment on the user interface.

To improve the experience, adding an OTP prompts the user to create a VPN profile automatically. Users can take advantage of this VPN profile to connect to the VPN directly from their iOS devices.

Citrix SSO app can be used to scan the QR code while registering for Native OTP support. Citrix Gateway Push notification functionality is available only to the Citrix SSO app users.

  • Push notification: Citrix Gateway sends push notification on your registered mobile device for a simplified two-factor authentication experience. Instead of opening the Citrix SSO app to type in the second factor OTP on the Citrix ADC logon page, you can validate your identity by providing your Device PIN/Touch ID/ Face ID for the registered device.

Once you register your device for Push notification, you can also use the device for Native OTP support using the Citrix SSO app. Registration for Push Notifications is transparent to the user. When users register TOTP, the device is also registered for Push Notifications if Citrix ADC supports it.

Citrix SSO for iOS and macOS devices