Citrix SSO overview

Citrix SSO app for macOS provides best-in-class application access and data protection solution offered by Citrix Gateway. You can now securely access business critical applications, virtual desktops, and corporate data from anywhere at any time. Citrix SSO is the next generation VPN client for Citrix Gateway to create and manage VPN connections from macOS devices. Citrix SSO is built using Apple’s Network Extension (NE) framework. NE framework from Apple is a modern library which contains APIs that can be used to customize and extend core networking features of macOS. Network Extension with support for SSL VPN is available on devices running macOS 10.11+.

Citrix SSO app replaces the legacy Citrix Gateway plug-in that was based on Kernel Extensions (KE) which is going to be deprecated by Apple soon. Citrix SSO App supports advanced features like Server Initiated Connections and DTLS.

Citrix SSO app provides complete Mobile Device Management (MDM) support on macOS. With an MDM server, an admin can now remotely configure and manage device level VPN profiles and per-app VPN profiles. Citrix SSO app for macOS can be installed from a Mac App store.

Feature comparison between Citrix VPN and Citrix SSO

The following table compares the availability of various features between Citrix VPN and Citrix SSO.

Feature Citrix VPN Citrix SSO
App distribution method Citrix Downloads page App Store
Number of tunneled connections 128 128
Access from browser Supported Not supported
Access from native app Supported Supported
Split tunnel (OFF/ON/REVERSE) Supported Supported
Split DNS (LOCAL/REMOTE/BOTH) REMOTE REMOTE
Local LAN access Enable/Disable Always enabled
Server Initiated Connections (SIC) support Not supported Supported
Transfer login Supported Supported
Client side proxy Supported Not supported
Classic/Opswat EPA support Supported Supported
Device certificate support Supported Supported
Session timeout support Supported Supported
Forced timeout support Supported Supported
Idle timeout support Supported Not supported
IPV6 Not supported Supported
Network roaming (Switch between Wi-Fi, Ethernet, and so on) Supported Supported
Intranet application support Supported Supported
DTLS support for UDP Not supported Supported
EULA support Supported Supported
App + Receiver integration Supported Not supported
Authentication – Local, LDAP, RADIUS Supported Supported
Client certificate authentication Supported Supported
TLS support (TLS1, TLS1.1 and TLS1.2) Supported Supported
Two factor authentication Supported Supported

Compatibility with MDM products

Citrix SSO for macOS is compatible with most MDM providers such as Citrix XenMobile, Microsoft Intune and so on. It supports a feature called Network Access Control (NAC) using which, MDM administrators can enforce end user device compliance before connecting to Citrix Gateway. NAC on Citrix SSO requires an MDM server such as XenMobile or Intune and Citrix Gateway. For more on NAC, click here.

Configure an MDM managed VPN profile for Citrix SSO

The following section captures step-by-step instructions to configure both device-wide and per-app VPN profiles for Citrix SSO using Citrix Endpoint Management (formerly XenMobile) as an example. Other MDM solutions can use this document as reference when working with Citrix SSO.

Note: This section explains the configuration steps for a basic Device-wide and Per-App VPN profile. Also you can configure On-Demand, Always-On, Proxies by following Citrix Endpoint Management (formerly XenMobile) documentation or Apple’s MDM VPN payload configuration.

Device level VPN profiles

Device level VPN profiles are used to set up a system wide VPN. Traffic from all apps and services is tunneled to Citrix Gateway based on the VPN policies (such as Full-tunnel, Split-tunnel, Reverse Split tunnel) defined in Citrix ADC.

To configure a device level VPN on Citrix Endpoint Management

Perform the following steps to configure a device level VPN.

1. On the Citrix Endpoint Management MDM console, navigate to Configure > Device Policies > Add New Policy.

2. Select macOS on the left Policy Platform pane. Select VPN Policy on the right pane.

3. On the Policy Info page, enter a valid policy name and description and click Next.

4. On the Policy detail page for macOS, type a valid connection name and choose Custom SSL in Connection Type.

Note: In the MDM VPN payload, connection name corresponds to the UserDefinedName key and VPN Type Key must be set to VPN.

5. In Custom SSL identifier (reverse DNS format), enter com.citrix.NetScalerGateway.macos.app. This is the bundle identifier for the Citrix SSO App on macOS.

Note: In the MDM VPN payload, Custom SSL identifier corresponds to the VPNSubType key.

6. In Provider bundle identifier enter com.citrix.NetScalerGateway.macos.app.vpnplugin. This is the bundle identifier of the network extension contained in the Citrix SSO macOS app binary.

Note: In MDM VPN payload, provider bundle identifier corresponds to the ProviderBundleIdentifier key.

7. In Server name or IP address enter the IP address or FQDN of the Citrix ADC associated with this Citrix Endpoint Management instance.

The remaining fields in the configuration page are optional. Configurations for these fields can be found in Citrix Endpoint Management documentation.

8. Click Next.

Localized image

9. Click Save.

Per-App VPN profiles

Per-App VPN profiles are used to set up VPN for a specific application. Traffic from only the specific app is tunneled to Citrix Gateway. The Per-App VPN payload supports all of the keys for Device-wide VPN plus a few additional keys.

To configure a per-App level VPN on Citrix Endpoint Management

Perform the following steps to configure a Per-App VPN on Citrix Endpoint Management:

1. Complete the device level VPN configuration on Citrix Endpoint Management.

2. Turn the Enable Per-App VPN switch ON in the Per-App VPN section.

3. Turn the On-Demand Match App Enabled switch ON if Citrix SSO should be started automatically when the Match App is launched. This is recommended for most Per-App cases.

Note: In the MDM VPN payload, this field corresponds to the key OnDemandMatchAppEnabled.

5. Safari Domain configuration is optional. When Safari domain is configured, Citrix SSO starts automatically when users launch Safari and navigate to a URL that matches the one in Domain field. This is not recommended if you want to restrict VPN for a specific app.

Note: In the MDM VPN payload, this field corresponds to the key SafariDomains.

The remaining fields in the configuration page are optional. Configurations for these fields can be found in Citrix Endpoint Management (formerly XenMobile) documentation.

localized image

13. Click Next.

14. Click Save.

To associate this VPN profile to a specific App on the device, you must create an App Inventory policy and a credentials provider policy by following this guide - https://www.citrix.com/blogs/2016/04/19/per-app-vpn-with-xenmobile-and-citrix-vpn/

Configuring split tunnel in Per-App VPN

MDM customers can configure split tunnel in Per-App VPN for Citrix SSO. To do this, the following key/value pair must be added to the vendor configuration section of the VPN profile created on MDM server.

-  Key = "PerAppSplitTunnel"
-  Value = "true or 1 or yes"

The key is case sensitive and should be an exact match while value is not case sensitive.

Note: The user interface to configure vendor configuration is not standard across MDM vendors. You must contact the MDM vendor to find the vendor configuration section on your MDM user console.

The following is a sample screenshot of the configuration (vendor specific settings) in Citrix Endpoint Management.

split-tunnel-per-app-CEM

The following is a sample screenshot of the configuration (vendor specific settings) in Microsoft Intune.

split-tunnel-per-app-Intune

Disabling user created VPN profiles

MDM customers can prevent users from manually creating VPN profiles from within the Citrix SSO App. To do this, the following key/value pair must be added to the vendor configuration section of the VPN profile created on MDM server.

-  Key = "disableUserProfiles"
-  Value = "true or 1 or yes"

The key is case sensitive and should be an exact match while value is not case sensitive.

Note: The user interface to configure vendor configuration is not standard across MDM vendors. You must contact the MDM vendor to find the vendor configuration section on your MDM user console.

The following is a sample screenshot of the configuration (vendor specific settings) in Citrix Endpoint Management.

disable-VPN-CEM

The following is a sample screenshot of the configuration (vendor specific settings) in Microsoft Intune.

disable_VPN_Intune

Known issues

The following are the known issues currently.

  • EPA login fails if the user is placed in quarantine group.
  • Forced timeout warning message is not displayed.
  • SSO app allows login if split tunnel is ON and no intranet apps are configured.

Limitations

The following are the limitations currently.

  • Some of the EPA scans (for example patch management scans, web browser scan, kill process) might fail because of restricted access to the SSO app due to sandboxing.
  • Split tunneling based on ports/protocols is not supported.

FAQs

This section captures the frequently asked questions on the Citrix SSO app.

How is Citrix SSO app different from Citrix VPN app? Citrix SSO is the next generation SSL VPN client for Citrix ADC. The App uses Apple’s Network Extension framework to create and manage VPN connections on iOS and macOS devices. Citrix VPN is the legacy VPN client that made use of Apple’s private VPN APIs which is now deprecated. Support for Citrix VPN will be removed from the App Store in the months to come.

What is NE? The Network Extension (NE) framework from Apple is a modern library which contains APIs that can be used to customize and extend the core networking features of iOS and macOS. Network Extension with support for SSL VPN is available on devices running iOS 9+ and macOS 10.11+.

For which versions of Citrix ADC is the Citrix SSO compatible? VPN features in Citrix SSO are supported on Citrix ADC versions 10.5 and above. The TOTP is available on Citrix ADC version 12.0 and above. Push Notification on Citrix ADC has not been publicly announced yet. The App requires iOS 9+ and macOS 10.11+ versions.

How does Cert-based authentication for non-MDM customers work? Customers who previously distributed Certificates via Email or Browser to perform Client Certificate Authentication in Citrix VPN should note this change when using Citrix SSO. This is mostly true for non-MDM customers who do not use an MDM Server to distribute User Certificates. Please refer, “Importing Certificates into Citrix SSO via Email” to be able to distribute Certificates.

What is Network Access Control (NAC)? How do I configure NAC with Citrix SSO and Citrix Gateway? Microsoft Intune and Citrix Endpoint Management (formerly XenMobile) MDM customers can take advantage of Network Access Control (NAC) feature in Citrix SSO. With NAC, administrators can secure their enterprise internal network by adding an extra layer of authentication for mobile devices that are managed by an MDM server. Administrators can enforce a device compliancy check at the time of authentication in Citrix SSO.

To use NAC with Citrix SSO, you must enable it on both Citrix Gateway and the MDM server.

  • To enable NAC on Citrix ADC refer this link.
  • If MDM vendor is Intune refer this link.
  • If MDM vendor is Citrix Endpoint Management (formerly XenMobile) refer this link.

Note: The minimum supported Citrix SSO version is 1.1.6 and above.