Citrix SSO for iOS and Citrix Secure Access for macOS
The legacy Citrix VPN client was built using Apple’s private VPN APIs that is now deprecated. VPN support in Citrix SSO for iOS and Citrix Secure Access for macOS is rewritten from the ground up using Apple’s public Network Extension framework.
Citrix Secure Access for macOS is supported on 10.15 (Catalina), 11.x (Big Sur) and 12.x (Monterey). It supports devices with Intel chips and M1 chips.
- Users with hardware which cannot be upgraded to one of the earlier mentioned versions (macOS 10.15 and macOS 11.0) have access to the last compatible version on the App Store, but there is no further updates to the older versions.
- If a macOS user switches between App Store app and TestFlight preview build or vice versa, then the users must recreate the connection profile by performing the following steps.
- Click the hamburger menu and then click Configuration.
- Delete the profile from the list and add the same profile again.
Major features of the Citrix SSO app for iOS and the Citrix Secure Access agent for macOS
- Password tokens: A password token is a 6-digit code which is an alternative to Secondary Password Services such as VIP, OKTA. This code uses the Time-based One Time Password (T-OTP) protocol to generate the OTP code similar to services such as Google Authenticator and Microsoft Authenticator. Users are prompted for two passwords during authentication to Citrix Gateway for a given Active Directory user. The second factor is a changing six-digit code that users copy from a registered third-party service such as Google or Microsoft Authenticator into the desktop browser. Users must first register for T-OTP on the Citrix ADC appliance. For registration steps, refer https://support.citrix.com/article/CTX228454. On the app, users can add the OTP feature by scanning the QR Code generated on Citrix ADC or manually entering the TOTP secret. OTP Tokens once added show up on the Password Tokens segment on the user interface.
To improve the experience, adding an OTP prompts the user to create a VPN profile automatically. Users can take advantage of this VPN profile to connect to the VPN directly from their iOS devices.
The Citrix SSO app for iOS or the Citrix Secure Access agent for macOS can be used to scan the QR code while registering for native OTP support. Citrix Gateway Push notification functionality is available only to the Citrix SSO for iOS and Citrix Secure Access for macOS users.
- Push notification: Citrix Gateway sends push notification on your registered mobile device for a simplified two-factor authentication experience. Instead of opening the Citrix SSO for iOS app or Citrix Secure Access agent for macOS to type in the second factor OTP on the Citrix ADC logon page, you can validate your identity by providing your Device PIN/Touch ID/ Face ID for the registered device.
Once you register your device for Push notification, you can also use the device for native OTP support using the Citrix SSO app for iOS or the Citrix Secure Agent for macOS. Registration for Push Notifications is transparent to the user. When users register TOTP, the device is also registered for Push Notifications if Citrix ADC supports it.