Contextual access based on the device posture

The Citrix Secure Private Access service provides contextual access based on a device posture by using an on-premises Citrix Gateway or a customer hosted Citrix Gateway (adaptive authentication) as an IdP to Citrix Workspace. The Enterprise Web or SaaS apps can either be enumerated or hidden from the end user based on the EPA check results and the configured smart access policy.

Note: Adaptive authentication is a Citrix Cloud service that enables advanced authentication for users logging in to Citrix Workspace. Adaptive authentication gives a gateway instance running in cloud and you can configure the authentication mechanism for this instance, as required.

Prerequisites

• Citrix Gateway as an IdP must be configured for Citrix Workspace. For details, see Use an on-premises Citrix Gateway as the identity provider for Citrix Cloud.
• Citrix ADC release version 13.0 Build 82.109 or higher.
• Smart access tags are configured on the Citrix Gateway appliance.

Understanding the flow of events

• User enters the Workspace URL into a browser or connects to a Workspace Store using a native Citrix Workspace App.
• User is redirected to the Citrix Gateway configured as an IdP.
• User is prompted to allow an EPA check to be performed on their device.
• Citrix Gateway performs an EPA check after user consent to scan the device is given and writes the smart access tags to CAS against the device ID.
• User logs in to Citrix Workspace using Citrix Gateway IdP and the configured authentication mechanism.
• Citrix Gateway provides smart access policy information to Citrix Workspace and Secure Private Access.
• User is redirected to the Citrix Workspace home page.
• Citrix Workspace processes the smart access tags provided by the Citrix Gateway configured as an IdP, and then determines the apps that must be enumerated and displayed to the end user.

Configuration scenario – Enterprise Web or SaaS app enumeration based on device posture scans

Step 1: Configure smart access policies using Citrix Gateway GUI

1. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies> Smart Access > Profiles.
2. On the Profiles tab, click Add to create a profile.

1. In Tags, enter the smart access tag name. This is the tag that you must enter manually when creating the contextual access policy.
2. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies> Smart Access > Policies.
3. Click Add to create a policy.

1. In Action, select the previously created profile and click Add.
2. In Expression, create the policy expression and click OK.

Step 2: Create a contextual access policy

Perform the steps detailed in Create a contextual access policy.

• In IF THE FOLLOWING CONDITION IS MET, select Device posture check.
• IF you have configured multiple smart access tags, then select one of the following as per your requirement.
  • Match all of – The device ID must match all the smart access tags written against the device ID when you log in to Citrix Workspace.
  • Match if any – The device ID must match one of the smart access tags written against the device ID when you log in to Citrix Workspace.
• In Enter custom tags, manually type the smart access tag. These tags must be identical to the tags configured in Citrix Gateway (Create Authentication Smart Access Profile > Tags).

Points to note

• Posture evaluation occurs only when you log on Citrix Workspace (only during the authentications).
• In the current release, continuous device posture evaluation is not done. If the device context changes after the user logs on to Citrix Workspace, then the policy conditions do not have any impact on the device posture evaluation.
• Device ID is a GUID generated for each end user device. Device ID might change if the browser used to access Citrix Workspace is changed, cookies are deleted or incognito/private mode is used. However, this change does not impact the policy evaluation.