This section captures the FAQ on the Citrix SSO app.

How is Citrix SSO app different from Citrix VPN app? Citrix SSO is the next generation SSL VPN client for Citrix ADC. The App uses Apple’s Network Extension framework to create and manage VPN connections on iOS and macOS devices. Citrix VPN is the legacy VPN client that uses Apple’s private VPN APIs which is now deprecated. Support for Citrix VPN will be removed from the App Store in the months to come.

What is NE? The Network Extension (NE) framework from Apple is a modern library which contains APIs that can be used to customize and extend the core networking features of iOS and macOS. Network Extension with support for SSL VPN is available on devices running iOS 9+ and macOS 10.11+.

For which versions of Citrix ADC is the Citrix SSO compatible? VPN features in Citrix SSO are supported on Citrix ADC versions 10.5 and above. The TOTP is available on Citrix ADC version 12.0 and above. Push Notification on Citrix ADC has not been publicly announced yet. The App requires iOS 9+ and macOS 10.11+ versions.

How does Cert-based authentication for non-MDM customers work? Customers who previously distributed Certificates via Email or Browser to perform Client Certificate Authentication in Citrix VPN must note this change when using Citrix SSO. This is mostly true for non-MDM customers who do not use an MDM Server to distribute User Certificates. For details, see “Importing Certificates into Citrix SSO via Email” to be able to distribute Certificates.

What is Network Access Control (NAC)? How do I configure NAC with Citrix SSO and Citrix Gateway? Microsoft Intune and Citrix Endpoint Management (formerly XenMobile) MDM customers can take advantage of the Network Access Control (NAC) feature in Citrix SSO. With NAC, administrators can secure their enterprise internal network by adding an extra layer of authentication for mobile devices that are managed by an MDM server. Administrators can enforce a device compliancy check at the time of authentication in Citrix SSO.

To use NAC with Citrix SSO, you must enable it on both the Citrix Gateway and the MDM server.

  • To enable NAC on Citrix ADC refer this link.
  • If an MDM vendor is Intune refer this link.
  • If an MDM vendor is Citrix Endpoint Management (formerly XenMobile) refer this link.


    The minimum supported Citrix SSO version is 1.1.6 and above.