Set up Citrix SSO app in an Intune Android Enterprise environment
The topic captures details about deploying and configuring Citrix SSO app via Microsoft Intune. This document assumes that Intune is already configured for Android Enterprise support and device enrollment is already done.
- Intune is configured for Android Enterprise Support
- Device enrollment is complete
To set up Citrix SSO app in an Intune Android Enterprise environment
- Add Citrix SSO app as a managed app
- Configure managed app policy for Citrix SSO app
Add Citrix SSO app as a managed app
Log in to your Azure portal.
Click Intune on the left navigation blade.
Click Client Apps in the Microsoft Intune blade and then click Apps in the Client apps blade.
Click +Add link in the top right menu options. The Add app configuration blade appears.
Select Managed Google Play for the app type.
This adds Manage Google Play search and approve blade if you have configured Android Enterprise.
Search for Citrix SSO app and select it from the list of apps.
Note: If Citrix SSO does not appear in the list, that means that the app is not available in your country.
Click APPROVE to approve Citrix SSO for deployment through Managed Google Play store.
The permissions that are required by Citrix SSO app are listed.
Click APPROVE to approve the app for deployment.
Click Sync to sync this selection with Intune.
Citrix SSO app is added to the Client apps list. You might have to search for the Citrix SSO app if there are many apps added.
Click Citrix SSO app to open the app details blade.
Click Assignments in the details blade. Citrix SSO - Assignments blade appears.
Click Add group to assign the user groups to which you want to give permissions to install Citrix SSO app, and click Save.
Close the Citrix SSO app details blade.
Citrix SSO app is added and enabled for deployment to your users.
Configure managed app policy for Citrix SSO app
After the Citrix SSO app is added, you must create a managed configuration policy for Citrix SSO app so that VPN profile can be deployed to the Citrix SSO app on the device.
Open Intune blade in your Azure portal.
Open Client Apps blade from the Intune blade.
Select App configuration policies item from the Client apps blade and click Add to open the Add configuration policy blade.
Enter a name for the policy and add a description for it.
In Device enrollment type, select Managed devices.
In Platform, select Android.
This adds another configuration option for the associated app.
Click Associated app and select Citrix SSO app.
You might have to search for it if you have many apps.
Click OK. A configuration settings option is added in the Add configuration policy blade.
Click Configuration settings.
A blade to configure Citrix SSO app appears.
In Configuration Settings, select either Use configuration designer or Enter JSON data to configure Citrix SSO app.
Note: For simple VPN configurations it is recommended to use configuration designer.
VPN configuration using user configuration designer
In Configuration Settings, select Use configuration designer and Click Add.
You are presented with a key value entry screen for configuring various properties that are supported by Citrix SSO app. At a minimum you must configure the Server Address and VPN Profile Name properties. You can hover over the DESCRIPTION section to get more information about each property.
For example, select VPN Profile Name and Server Address(*) properties and click OK.
This adds the properties to the configuration designer. You can configure the following properties.
VPN Profile Name. Type a name for the VPN profile. If you are creating more than one VPN profile, use a unique name for each. If you do not provide a name, the address you enter in the Server Address field is used as the VPN profile name.
Server Address(*). Type your Citrix Gateway base FQDN. If your Citrix Gateway port is not 443, also type your port. Use URL format. For example,
Username (optional). Enter the user name that the end users use to authenticate to the Citrix Gateway. You may use the Intune config value token for this field if gateway is configured to use it (see config value tokens.) If you do not provide a user name, users are prompted to provide a user name when they connect to Citrix Gateway.
Password (optional). Enter the password that end users use to authenticate to the Citrix Gateway. If you do not provide a password, users are prompted to provide a password when they connect to Citrix Gateway.
Certificate Alias (optional). Provide a certificate alias in Android KeyStore to be used for client certificate authentication. This certificate is pre-selected for users if you are using certificate-based authentication.
Per-App VPN Type (optional). If you are using per-app VPN to restrict which apps use this VPN, you can configure this setting.
- If you select Allow, network traffic for app package names listed in the PerAppVPN app list is routed through the VPN. The network traffic of all other apps is routed outside the VPN.
- If you select Disallow, network traffic for app package names listed in the PerAppVPN app list are routed outside the VPN. The network traffic of all other apps is routed through the VPN. Default is Allow.
- PerAppVPN app list. A list of apps whose traffic is allowed or disallowed on the VPN, depending on the value of Per-App VPN Type. List the app package names separated by commas or semicolons. App package names are case sensitive and must appear on this list exactly as they appear in the Google Play store. This list is optional. Keep this list empty for provisioning device-wide VPN.
Default VPN profile. The VPN profile name used when Always-On VPN is configured for Citrix SSO app. If this field is empty, the main profile is used for connection. If only one profile is configured, it is marked as default VPN profile.
For making Citrix SSO app as Always-On VPN app in Intune, use VPN provider as custom and com.citrix.CitrixVPN as app package name.
Only certificate based client authentication is supported for Always-On VPN by Citrix SSO app.
Admins must select Client Authentication and set Client Certificate to Mandatory in the SSL Profile or SSL Properties on the Citrix Gateway for the SSO app to work as intended.
Disable User Profiles
- If you set this value to true, users cannot add new VPN profiles on their devices.
- If you set this value to false, users can add their own VPNs on their devices.
Default value is false.
Block Untrusted Servers
- Set this value to false when using a self-signed certificate for Citrix Gateway or when the root certificate for the CA issuing the Citrix Gateway certificate is not in the system CA list.
- Set this value to true to enable the Android operating system validate the Citrix Gateway certificate. If the validation fails, the connection is not allowed.
Default value is true.
For the Server Address(*) property, enter your VPN gateway base URL (for example,
For VPN Profile Name, enter a name that is visible to the end user in the Citrix SSO app’s main screen (for example, My Corporate VPN).
You may add and configure other properties as appropriate to your Citrix Gateway deployment. Click OK when you are done with configuration.
Click Permissions section. In this section, you can grant permissions required by Citrix SSO app.
If you are using Intune NAC check, Citrix SSO app requires that you grant Phone state (read) permission. Click Add button to open permissions blade. Currently, Intune displays a significant list of permissions that are available to all the apps.
If you are using Intune NAC check, select Phone state (read) permission and click OK. This adds it to the list of permissions for the app. Select either Prompt or Auto grant so that Intune NAC check can work and click OK.
Click Add at the bottom of the App configuration policy blade to save the managed configuration for Citrix SSO app.
Click Assignments in the App configuration policy blade to open the Assignments blade.
Select the user groups for which you want this Citrix SSO configuration to be delivered and applied.
VPN configuration by entering JSON data
In Configuration Settings, select Enter JSON data for configuring Citrix SSO app.
Use Download JSON template button to download a template that allows for providing more detailed/complex configuration for Citrix SSO app. This template is a set of JSON key-value pairs to configure all the possible properties that Citrix SSO app understands.
For a list of all the available properties that can be configured, see Available properties for configuring VPN profile in Citrix SSO app.
Once you have created a JSON configuration file, copy and paste its contents in the editing area. For example, following is the JSON template for basic configuration created above using configuration designer option.
This completes the procedure for configuring and deploying VPN profiles for Citrix SSO app in Microsoft Intune Android Enterprise environment.
Important: Certificate used for client certificate based authentication is deployed using Intune SCEP profile. The alias for this certificate should be configured in the Certificate Alias property of the managed configuration for Citrix SSO app.
Available properties for configuring VPN profile in Citrix SSO app
|Configuration Key||JSON Field Name||Value Type||Description|
|VPN Profile Name||VPNProfileName||Text||Name of the VPN profile (if not set defaults to server address).|
|Server Address(*)||ServerAddress||URL||Base URL of the Citrix Gateway for the connection (https://host[:port]). This is a required field.|
|Username (optional)||Username||Text||User name used for authenticating with the Citrix Gateway (optional).|
|Password (optional)||Password||Text||Password of the user for authenticating with the Citrix Gateway (optional).|
|Certificate Alias (optional)||ClientCertAlias||Text||Alias of the client certificate installed in Android credential store for use in certificate-based client authentication (optional).|
|Per-App VPN Type (optional)||PerAppVPN_Allow_Disallow_Setting||Enum (Allow, Disallow)||Are the listed apps allowed (whitelist) or disallowed (blacklist) to use the VPN tunnel. If set to Allow, only listed apps (in PerAppVPN app list property) are allowed to tunnel through the VPN. If set to Disallow, all apps except the listed ones are allowed to tunnel through the VPN. If no apps are listed the all apps are allowed to tunnel through the VPN.|
|PerAppVPN app list||PerAppName_Appnames||Text||Comma (,) or semicolon (;) separated list of app package names for per-app VPN. The package names must be exactly same as they appear in Google Play store app listing page URL. Package names are case sensitive.|
|Default VPN profile||DefaultProfileName||Text||Name of the VPN profile to use when system starts the VPN service. This setting is used for identifying the VPN profile to use when Always-On VPN is configured on the device.|
|Disable User Profiles||DisableUserProfiles||Boolean||Property to allow or not allow the end users to manually create VPN profiles. Set this value to true to disable users from creating VPN profiles. Default value is false.|
|Block Untrusted Servers||BlockUntrustedServers||Boolean||Property to determine if the connection to untrusted gateways (for example, using self-signed certificates or when issuing CA is not trusted by Android operating system) be blocked? Default value is true (block connections to untrusted gateways).|
|Custom Parameters (optional)||CustomParameters||List||List of custom parameters (optional) that are supported by Citrix SSO app. For details, see Custom Parameters. Check Citrix Gateway documentation for available options.|
|List of additional VPN profiles||bundle_profiles||List||List of additional VPN profiles. Most of the above mentioned values for each profile are supported. For details, see Supported Properties List.|
Each custom parameter must be defined using the following key-value names.
|ParameterName||Text||Name of the custom parameter.|
|ParameterValue||Text||Value of the custom parameter.|
Supported Properties for each VPN in VPN Profile List
Following properties are supported for each of the VPN profile when configuring multiple VPN profiles using JSON template.
|Configuration Key||JSON Field Name||Value Type|
|VPN Profile Name||bundle_VPNProfileName||Text|
|Client Cert Alias||bundle_ClientCertAlias||Text|
|Per-App VPN Type||bundle_PerAppVPN_Allow_Disallow_Setting||Enum (Allow, Disallow)|
|PerAppVPN app list||bundle_PerAppVPN_Appnames||Text|