Citrix Enterprise Browser to Chrome Enterprise Premium migration
Existing Secure Private Access service customers can gradually transition from Citrix Enterprise Browser to Chrome Enterprise Premium (CEP). This phased migration approach allows organizations to maintain business continuity during the transition period by running both browser solutions in parallel. With the phased migration, customers can validate compatibility of existing applications and workflows with Chrome Enterprise Premium.
Important:
Some key access policy elements, such as access with restrictions and Workspace URL support, are not directly supported in CEP.
Provision Chrome Enterprise Premium
For existing Secure Private Access customers, the migration wizard in the Secure Private Access console facilitates CEP provisioning, extension installation for users, and a path for gradual application and user migration.
-
In the Secure Private Access admin console, navigate to Chrome Enterprise Premium > Configuration.
- Click Set up Google CEP.
-
Assign Citrix service account details within the Google Workspace console. For details, see Setup Google Chrome integration.
- Click Save and close.
The Chrome Enterprise Premium provisioning begins.
View provisioning and configuration details
You can view the provisioning and integration details in the Chrome Enterprise Premium > Configuration page.
Integration status
The integration status changes from In Progress to Complete once the Chrome Enterprise Premium provisioning is complete.
Once the Chrome Enterprise Premium provisioning is successfully completed, a policy update process is automatically triggered for the access policies and session policies.
This update process does the following:
- Review the existing policies (access and session).
- Check for users and user groups without emails in their rules.
- Query the CC Directory service to retrieve their emails, and add them to the policies.
The policy update process can also be manually retriggered using the Retry button.
Policy status (Email ID verification)
User email IDs are critical for migration and must be present in existing access policies and session policies. While Active Directory (AD) users typically have email IDs, some users or groups might be missing them. Administrators must identify and enrich these missing email addresses to ensure smooth migration and proper authentication.
The Policy status section indicates whether all required user/group email addresses are included in access/session policy rule conditions with the following status as applicable.
- Incomplete: Some policies were successfully enriched but the process is not complete because the email addresses for some users or user groups must be updated in the Active Directory.
- Policies updated: The email address enrichment is complete.
- Failed to update policies: No policies were enriched. This failure can be due to external issues.
- Update not started: Email address enrichment is not started.
- Updating: Email address enrichment in progress.
Note:
The total duration of the policy update process is determined by the following two factors. A larger count in either of these areas results in a longer processing time.
- The number of users and groups that require an email lookup in the Citrix Cloud Directory.
- The number of policies that must be updated.
Enrich the missing email addresses
Administrators must do the following steps to enrich the missing email addresses:
- Click View details to see a list of users and user groups requiring enrichment (currently limited to 100 entries).
- Add the missing email addresses in Active Directory.
- Click Retry to enrich the remaining users.
For details about synchronizing user directories, see To Synchronize user directory configured in Citrix Workspace with the Google Cloud user directory.
Google integration details
Displays the Google customer ID and the egress IP addresses associated with the Secure Gateway. Each time a user tries to access a Software as a Service (SaaS) application within this integration, traffic is routed through the Google Secure Gateway, which expands context-aware access to SaaS applications using IP allowlisting.
The Google customer ID and the user groups can be modified by clicking the Edit button.
Migrate apps and users
Once the CEP provisioning and access policies enrichment are complete, you can gradually migrate the apps and users.
-
Navigate to Chrome Enterprise Premium > Migrate Apps and Users.
The page displays the list of all applications.
- Click the edit icon in line with the application that you want to migrate.
-
Assign the users or user groups to this application. After successful migration, a confirmation message appears.
Migrated applications become accessible via Chrome Enterprise Premium through the Citrix Workspace app or Workspace UI. These applications are also available through the Citrix Enterprise Browser.