Admin-guided workflow for easy onboarding and set up

A new streamlined admin experience with step-by-step process to configure Zero Trust Network Access to SaaS apps, internal web apps, and TCP apps is available in the Secure Private Access service. It includes configuration of Adaptive Authentication, applications including user subscription, adaptive access policies, and others within a single admin console.

This wizard helps admins in achieving an error-free configuration either during onboarding or recurrent use. Also, a new dashboard is available with full visibility into the overall usage metrics and other key information.

The high-level steps include the following:

  1. Choose the authentication method for the subscribers to log in to Citrix Workspace.
  2. Add applications for your users.
  3. Assigns permissions for app access by creating the required access policies.
  4. Review the app configuration.

Access the Secure Private Access admin-guided workflow wizard

Perform the following steps to access the wizard.

  1. On the Secure Private Access service tile, click Manage.
  2. In the Overview page, click Continue.

Admin-guided workflow overview

Step 1: Set up identity and authentication

Select the authentication method for the subscribers to log in to Citrix Workspace. Adaptive authentication is a Citrix Cloud service that enables advanced authentication for customers and users logging in to Citrix Workspace. Adaptive Authentication service is a Citrix hosted, Citrix managed, Cloud hosted Citrix ADC that provides all the advanced authentication capabilities such as the following.

  • Multifactor authentication
  • Device posture scans
  • Conditional authentication
  • Contextual access to Citrix Virtual Apps and Desktops

  • To configure Adaptive Authentication, select Configure and use Adaptive Auth (Technical Preview) and then complete the configuration. For more details on Adaptive Authentication, see Adaptive Authentication service. After you configure Adaptive Authentication, you can click Manage to modify the configuration, if necessary.

Adaptive authentication

  • If you have initially selected a different authentication method and to switch to Adaptive Authentication, click Select and configure and then complete the configuration.

Adaptive authentication

To change the existing authentication method or make changes to the existing authentication method, click Workspace Authentication.

Step 2: Add and manage applications

After you have selected the authentication method, configure the applications. For the first-time users, the Applications landing page does not display any applications. Add an app by clicking Add an app. You can add SaaS apps, Web apps, and TCP/UDP apps from this page. To add an app, click Add an app.

Once you add an app, you can see it listed here.

Add an app

Complete the steps displayed in the following figure to add an app.


Step 3: Create access policies

For the first-time users, the Access Policies landing page does not display any policies. Click Create Policy to create a policy. Once you create a policy, you can see it listed here.

Add a policy

  1. For users of these applications - This field lists all the applications that an admin has configured in the Secure Private Access service. Admins can select the applications to which this contextual policy must be applied.

  2. If the following condition is met - Select the condition for which this adaptive access policy must be evaluated. Select the subsequent options based on the selected condition.

    Configure policy

  3. Click Add Condition to add more conditions.

    An AND operation is performed between the conditions, and then the contextual policy is evaluated.

  4. Then do the following - If the set condition matches, admins can select the action to be performed for the users accessing the application.
    • Allow access without restrictions - Allow access without any preset conditions.
    • Allow access with restrictions - Select one of the preset security policy combinations. These security policy combinations are predefined in the system. Admins cannot modify or add other combinations


      • The options Preset 4, Preset 5, and Preset 6 are enabled only for Enterprise web apps. If an admin has selected a SaaS app along with web apps in the list of apps, then the options Preset 4, Preset 5, and Preset 6 are disabled.

      • Admins can select a preset security policy and also select the option to launch an application through the secure browser in the same policy. Both the conditions are independent of each other.

    • Deny access – When selected, access to the apps is denied. All other options are grayed out.

    Allow or deny access

  5. Select Open in secure browser to always launch an application in the Secure Browser service regardless of other enhanced security settings.
  6. In Policy name, enter the name of the policy.
  7. Slide the toggle switch ON to enable the policy. The policy is disabled by default.

    Note: You can also enable the policy from the Access Policies page by enabling the toggle switch from the Status column. Click Create Policy.


If the admin has configured per-app level enhanced security controls, these are overwritten by the access policies.

Step 4: Review summary of each configuration

From the Review page, you can view the complete app configuration and then click Close.


The following figure displays the page after you have completed the 4-step configuration.

SPA configuration complete


  • After you have completed the configuration using the wizard, you can modify the configuration of a section by directly going to that section. You do not have to follow the sequence.
  • If you delete all the configured apps or the policies, you must add them again. In this case, the following screen appears if you have deleted all the policies.

Deleted policies


The dashboard provides admins full visibility into their top apps, top users, connectors health status, bandwidth usage, and so in a single place for consumption. This data is fetched from Citrix Analytics. The data for the various entities can be viewed for the preset time or for a custom timeline. For each entity, you can also view further details.

  • Users: Provides details about the active users using the applications (SaaS and Web).
  • Applications: Provides details about the applications (SaaS and Web) launched over the selected period.
  • Application sessions: Provides details about the total applications launched versus usage and number of sessions versus users.
  • Uploads: Displays the upload volume of each app.
  • Downloads: Displays the download volume of each app.
  • Domains: Summarizes the details of the domains, URLs, and apps accessed by the users.
  • Access policies: Displays the total number of access policies configured.
  • Connector insights: Provides insights into the connector statuses.

SPA dashboard1

SPA dashboard2

SPA dashboard3

SPA dashboard4

SPA dashboard5

SPA dashboard6

SPA dashboard7

Admin-guided workflow for easy onboarding and set up