Citrix Managed Desktops
Citrix Managed Desktops is the simplest, fastest way to deliver Windows apps and desktops from Microsoft Azure. Citrix Managed Desktops offers cloud-based management, provisioning, and managed capacity for delivering virtual apps and desktops to any device.
This solution includes:
- Cloud-based management and provisioning for delivering Citrix-hosted Windows Virtual Desktops, and apps from multi-session Windows machines.
- A high-definition user experience from a broad range of devices, using the Citrix Workspace app.
- Simplified image creation and management workflows, along with Citrix-managed single-session and multi-session images that have the latest Virtual Delivery Agent (VDA) installed.
- Secure remote access from any device using global points of presence of the Citrix Gateway service.
- Advanced monitoring and help desk management capabilities.
- Managed Azure IaaS, including Azure compute, storage, and networking for delivering virtual desktops.
If you’re familiar with Citrix Virtual Apps and Desktops, Citrix Managed Desktops simplifies the deployment of virtual apps and desktops. Citrix can manage the infrastructure for hosting those workloads.
Citrix Managed Desktops is a Citrix Cloud service. Citrix Cloud is the platform that hosts and administers Citrix services. Learn more about Citrix Cloud.
To learn more about Citrix Managed Desktops components, data flow, and security considerations, see Technical security overview.
How users access desktops and apps
Users (sometimes called subscribers) access their desktops and apps directly through their browser, using the Citrix HTML5 client. Users browse to a Citrix Workspace URL that is provided by you, their administrator. The Citrix Workspace platform enumerates and delivers the digital resources to users. Users start a desktop or an application from their workspace.
After you set up a catalog of machines that deliver desktops and apps, the service displays the Citrix Workspace URL. You then notify your users to go to that URL to start their desktop and apps.
As an alternative to navigating to Citrix Workspace to access their desktops and apps, users can install a Citrix Workspace app on their device. Download the app that’s right for the endpoint device’s operating system: https://www.citrix.com/downloads/workspace-app/.
Concepts and terminology
This section introduces some of the items and terms that administrators use in Citrix Managed Desktops:
The desktops and apps that Citrix Managed Desktops delivers to your users reside on virtual machines (VMs). Those VMs are created in a catalog.
A catalog is a group of identical virtual machines. When you deploy desktops, the machines in the catalog are shared with selected users. When you publish applications, multi-session machines host applications that are shared with selected users.
If you’re familiar with other Citrix Virtual Apps and Desktops products, a catalog in this service is similar to combining a machine catalog and a delivery group. (The catalog and delivery group creation workflows in other services are not available in this service.)
A catalog’s VMs reside in a resource location. A resource location also contains two or more Cloud Connectors. Citrix automatically creates the resource location and the Cloud Connectors when you create the first catalog.
When you create more catalogs, the Azure subscription, region, and domain determine whether Citrix creates another resource location. If those criteria match an existing catalog, Citrix tries to reuse that resource location.
You can add more Cloud Connectors. See Resource location actions.
When you create a catalog, a master image is used (with other settings) as a template for creating the machines.
Citrix Managed Desktops provides several Citrix-managed master images:
- Windows 10 Enterprise (single-session)
- Windows 10 Enterprise Virtual Desktop (multi-session)
- Windows 10 Enterprise Virtual Desktop (multi-session) with Office 365 ProPlus
- Windows Server 2012 R2
- Windows Server 2016
The Citrix-managed master images already have a Citrix Virtual Delivery Agent (VDA) and troubleshooting tools installed. The VDA is the communication mechanism between your users’ machines and the Citrix Cloud infrastructure that manages the service.
You can also import and use your own master image from Azure. You must install a VDA (and other software) on the image before it can be used to create a catalog.
VDA is often used to refer to the machine that delivers apps or desktops, and the software component installed on that machine.
Learn more about master images, and how to use them.
You can create catalogs and build/import master images in either in a Citrix-managed Azure subscription or in your own Azure subscription.
See Deployment scenarios for information about using the Citrix-managed Azure subscription or your own.
Learn more about Azure subscriptions.
When creating a catalog, you indicate if and how users can access locations and resources on their corporate on-premises network from their Citrix Managed Desktops desktops and apps.
When using the Citrix-managed Azure subscription, the choices are no connectivity, Azure VNet peering, and Citrix SD-WAN.
When using your own Azure subscription, there is no need to create a connection to Citrix Managed Desktops. You only need to add your subscription to Citrix Managed Desktops.
Learn more about Network connections.
Domain-joined and non-domain-joined
Several service operations and features differ, depending on whether the machines that deliver desktops and apps are domain-joined or non-domain-joined. Domain membership also affects the available deployment scenarios.
Both domain-joined and non-domain joined machines support any of the user authentication methods available in the user’s workspace.
The following table explains the major differences between non-domain-joined and domain-joined machines.
|Do not need a connection to on-premises network.||Must have a connection to on-premises network, using Microsoft Azure VNet or Citrix SD-WAN.|
|Must use a Citrix-managed Azure subscription. (Cannot use your own Azure subscriptions.)||Can use a Citrix-managed Azure subscription and your own Azure subscriptions.|
|Active Directory is not used for machines (VDAs). VDAs are not joined to an AD domain.||Active Directory is used for machines (VDAs). VDAs are joined to an AD domain.|
|Active Directory group policies cannot be applied to VDAs. (You can apply local GPO on the master image that’s used to create a catalog.)||VDAs inherit group policies for the AD OU specified during catalog creation.|
|Users sign in using single sign-on.||When users sign in to their workspace using an authentication method other than Active Directory, they are also prompted for sign-in when a VDA (desktop or app) launches.|
|Cannot troubleshoot using a bastion machine or direct RDP.||Can troubleshoot using a bastion machine or direct RDP.|
|Cannot use Citrix Profile Management. (Recommend: Use persistent catalogs.)||Can use Citrix Profile Management or FSLogix.|
More technical concept information
Deployment scenarios differ, depending on whether you’re using the Citrix-managed subscription or your own customer-managed subscription.
There are differences in responsibility with Citrix-managed subscriptions and customer-managed subscriptions. For details, see Technical security overview.
Deploying in the Citrix-managed subscription
Citrix Managed Desktops supports several deployment scenarios for connection and user authentication.
Managed Azure AD: This is the simplest deployment, with non-domain-joined VDAs. It’s recommended for proofs of concept. You use the Managed Azure AD to manage users. (This is a Citrix-managed Azure AD.) Your users don’t need to access resources on your on-premises network.
Customer’s Azure Active Directory: This deployment also contains non-domain-joined VDAs. You use your own Active Directory or Azure Active Directory (AAD) for end user authentication. In this scenario, your users don’t need to access resources on your on-premises network.
Customer’s Azure Active Directory with on-premises access: This deployment also contains non-domain-joined VDAs. You use your own AD or AAD for end user authentication. In this scenario, installing Citrix Cloud Connectors in your on-premises network enables access to resources in that network.
Customer’s Azure Active Directory Domain Services and VNet peering: If your AD or AAD resides in your own Azure VNet and subscription, you can use the Microsoft Azure VNet peering feature for a network connection, and Azure Active Directory Domain Services (AADDS) for end user authentication. The VDAs are joined to your domain.
To enable your users to access data stored in your on-premises network, you can use your VPN connection from your Azure subscription to the on-premises location. Azure VNet peering is still used for network connectivity. Active Directory Domain Services in the on-premises location is used for end user authentication.
Customer’s Active Directory and SD-WAN: You can provide Citrix Managed Desktops users with access to files and other items from your on-premises or cloud SD-WAN networks.
Citrix SD-WAN optimizes all the network connections needed by Citrix Managed Desktops. Working in concert with the HDX technologies, Citrix SD-WAN provides quality-of-service and connection reliability for ICA and out-of-band Citrix Managed Desktops traffic.
Deploying in a customer-managed subscription
The preceding graphic illustrates using a customer-managed Azure subscription. However, the Citrix-managed subscription remains an option for other catalogs and images, as indicated by the dotted outline.
- July 2020: When adding a Cloud Connector to a resource location, using a customer-managed Azure subscription, you can specify the Cloud Connector machine’s performance type and Azure resource group. For details, see Resource location actions.
- June 2020: When creating a catalog, you can specify a machine naming scheme. See Create a catalog using custom create.
- June 2020: In a CSP environment, SD-WAN connections are created on a per-tenant basis. For the SD-WAN connection option to be available to the CSP administrator, the tenant must have an SD-WAN Orchestrator service entitlement. For details, see Filter resources by customer (multitenant deployments).
- June 2020: Production support for Linux VDAs when using a customer-managed Azure subscription.
- June 2020: The limit of VDAs per subscription is now 1,200.
- May 2020: You can add another Citrix-managed Azure subscription when you need more machines than the limit per subscription.
- May 2020: Expanded information about DNS servers.
- March 2020: Production support for SD-WAN connections.
- February 2020: To view your Citrix license usage information, follow the guidance in Monitor licenses and active usage for Citrix Managed Desktops service.
- February 2020: Preview support for catalogs containing Red Hat Enterprise Linux or Ubuntu machines. This feature is valid only when using a customer-managed Azure subscription, and requires an imported master image containing a Citrix Linux VDA.
- February 2020: You can now configure either vertical or horizontal load balancing for all of your multi-session machines. (Previously, all machines used horizontal load balancing.) This global selection applies to all catalogs in your deployment. See Load balancing.
- February 2020: You can now add an Azure subscription if you’re not a Global Admin.
- February 2020: A Citrix-managed master image is now available for Windows 10 Enterprise Virtual Desktop (multi-session) with Office 365 ProPlus.
- January 2020: Add support for custom routes in VNet peering connections.
- January 2020: Updates to security article to enhance port and rules information.
- November 2019: Preview support for SD-WAN connections.
October 2019: In Supported operating systems, added entries for:
- Windows 7 (supports only VDA 7.15 with the latest Cumulative Update).
- Windows Server 2019.
- October 2019: Added Windows Server 2012 R2 to the Citrix-managed master images list.
- October 2019: Added resource location settings information. For details, see Resource location actions and Resource location settings when creating a catalog.
- September 2019: By default, machines are created in the Citrix-managed Azure subscription. Now you can also create catalogs and images in your own customer-managed Azure subscription.