Admin-guided workflow for easy onboarding and set up

A new streamlined admin experience with step-by-step process to configure Zero Trust Network Access to SaaS apps, internal web apps, and TCP apps is available in the Secure Private Access service. It includes configuration of Adaptive Authentication, applications including user subscription, adaptive access policies, and others within a single admin console.

This wizard helps admins in achieving an error-free configuration either during onboarding or recurrent use. Also, a new dashboard is available with full visibility into the overall usage metrics and other key information.

The high-level steps include the following:

  1. Choose the authentication method for the subscribers to log in to Citrix Workspace.
  2. Add applications for your users.
  3. Assigns permissions for app access by creating the required access policies.
  4. Review the app configuration.

Access the Secure Private Access admin-guided workflow wizard

Perform the following steps to access the wizard.

  1. On the Secure Private Access service tile, click Manage.
  2. In the Overview page, click Continue.

Admin-guided workflow overview

Step 1: Set up identity and authentication

Select the authentication method for the subscribers to log in to Citrix Workspace. Adaptive authentication is a Citrix Cloud service that enables advanced authentication for customers and users logging in to Citrix Workspace. Adaptive Authentication service is a Citrix hosted, Citrix managed, Cloud hosted Citrix ADC that provides all the advanced authentication capabilities such as the following.

  • Multifactor authentication
  • Device posture scans
  • Conditional authentication
  • Adaptive access to Citrix Virtual Apps and Desktops

  • To configure Adaptive Authentication, select Configure and use Adaptive Auth (Technical Preview) and then complete the configuration. For more details on Adaptive Authentication, see Adaptive Authentication service. After you configure Adaptive Authentication, you can click Manage to modify the configuration, if necessary.

Adaptive authentication

  • If you have initially selected a different authentication method and to switch to Adaptive Authentication, click Select and configure and then complete the configuration.

Adaptive authentication

To change the existing authentication method or change the existing authentication method, click Workspace Authentication.

Step 2: Add and manage applications

After you have selected the authentication method, configure the applications. For the first-time users, the Applications landing page does not display any applications. Add an app by clicking Add an app. You can add SaaS apps, Web apps, and TCP/UDP apps from this page. To add an app, click Add an app.

Once you add an app, you can see it listed here.

Add an app

Complete the steps displayed in the following figure to add an app.


Step 3: Create access policies

For the first-time users, the Access Policies landing page does not display any policies. Click Create Policy to create a policy. Once you create a policy, you can see it listed here.

Add a policy

  1. For users of these applications - This field lists all the applications that an admin has configured in the Secure Private Access service. Admins can select the applications to which this adaptive access policy must be applied.

  2. If the following condition is met - Select the condition for which this adaptive access policy must be evaluated. Select the subsequent options based on the selected condition.


    The Users or groups condition is a mandatory condition to be met to grant access to the applications for the users. In User/user groups, select the following conditions, as per the need.

    • Does not match any - All users or groups except those listed in the field are allowed access.
    • Matches any of - Only the users or groups that match any of the names listed in the field are allowed access.

    Configure policy

  3. Click Add Condition to add more conditions.

    An AND operation is performed between the conditions, and then the adaptive access policy is evaluated.

  4. Then do the following - If the set condition matches, admins can select the action to be performed for the users accessing the application.
    • Allow access - Allow access without any preset conditions. Note: This option is applicable for browser-based applications only.
    • Deny access – When selected, access to the apps is denied. All other options are grayed out.
    • Allow access with restrictions - Select one of the preset security policy combinations. These security policy combinations are predefined in the system. Admins cannot modify or add other combinations. When you choose Allow access with restrictions, you can select the security controls as per your requirement. The following security restrictions can be enabled for the application.

      • Restrict clipboard access: Disables cut/copy/paste operations between the app and system clipboard
      • Restrict printing: Disables ability to print from within the Citrix Workspace app browser
      • Restrict navigation: Disables the next/back app browser buttons
      • Restrict downloads: Disables the user’s ability to download from within the app
      • Restric uploads: Disables the user’s ability to upload within the app
      • Display watermark: Displays a watermark on the user’s screen displaying the user name and IP address of the user’s machine
      • Restrict key logging: Protects against key loggers. When a user tries to log on to the app using the user name and password, all the keys are encrypted on the key loggers. Also, all activities that the user performs on the app are protected against key logging. For example, if app protection policies are enabled for Office365 and the user edit an Office365 word document, all key strokes are encrypted on key loggers.
      • Restrict screen capture: Disables the ability to capture the screens using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured.


    For TCP applications, both Allow access and Deny access options are available.

    Allow or deny access

  5. In Policy name, enter the name of the policy.
  6. Slide the toggle switch ON to enable the policy. The policy is disabled by default.

    Note: You can also enable the policy from the Access Policies page by enabling the toggle switch from the Status column. Click Create Policy.


If the admin has configured per-app level enhanced security controls, these are overwritten by the access policies.

Step 4: Review summary of each configuration

From the Review page, you can view the complete app configuration and then click Close.


The following figure displays the page after you have completed the 4-step configuration.

SPA configuration complete


  • After you have completed the configuration using the wizard, you can modify the configuration of a section by directly going to that section. You do not have to follow the sequence.
  • If you delete all the configured apps or the policies, you must add them again. In this case, the following screen appears if you have deleted all the policies.

Deleted policies

Admin-guided workflow for easy onboarding and set up