Prerequisites for the integrated solution
To ensure optimal integration between the Citrix Workspace™ application and Chrome Enterprise Premium, the following prerequisites must be implemented. Successful completion of these prerequisites result in a more efficient and seamless experience when launching applications from the Citrix Workspace app or the web-based user interface.
The prerequisites are broadly classified into the following categories.
- Licenses, app versions, and extensions
- Google Admin console
- Secure Private Access service
- Chrome browser
- Synchronize user directory configured in Citrix Workspace with the Google Cloud user directory
Licenses, app versions, and extensions
- Chrome Enterprise Premium license: Ensure that you have an active Chrome Enterprise Premium license, available through the Citrix Cloud Platform License (CPL) program.
-
Citrix Workspace App (CWA) version:
- Windows: 2025.07 or later
- macOS: 2025.08 or later
- Chrome browser version: Endpoints must use the latest Google Chrome version.
Google Admin console
- Google customer ID: Obtain your Google Customer ID from the Google Admin console. This ID is required to configure Google services and integrations. Your customer ID can be retrieved through Account > Account Settings in the Google Admin console.
- Create a custom role in the Google Admin console: To onboard customers to Chrome Enterprise Premium (CEP) and enable Google Chrome integration, admins must create a custom role and assign the appropriate privileges in the Google Admin console. For details, see Admin roles and privileges.
-
Proxy mode configuration: Set the proxy mode to Allow user to configure proxy. Avoid restrictive options such as No proxy, OS proxy, or Use this proxy only.
Note:
If the Google Admin console is set to use system proxy settings, the managed profile cannot apply the required proxy configuration for Citrix Secure Private Access, and the integration with Chrome Enterprise Premium fails.
- Restrict DevTools extensions: Chrome DevTools for force-installed extensions must be disabled to prevent exposure of sensitive data. This is the default option in the Google Admin console.
Secure Private Access service
-
IPv6 endpoints limitations: The Citrix Secure Private Access service, when integrated with Google cloud endpoints, might receive traffic from end-user devices with IPv6 addresses. Currently, Secure Private Access Geo Location and Network Location access policies lack IPv6 support.
Consequently, access policies with Geo Location or Network Location conditions might fail for end-user devices with an IPv6 address. Other access policies that do not leverage such conditions work for both IPv4 and IPv6 enabled end user devices.
-
Access restrictions are now configured in Google Admin console for CEP: Access restrictions that were previously configured in the Secure Private Access console only apply to Citrix Enterprise Browser. When Google Chrome is the enterprise browser, access restrictions must be configured as policies and rules in the Google Admin console.
- Policies are configured in the Google Admin console > Devices > Chrome > Settings. These settings allow you to manage browser settings, such as block javascript and allow list of printers.
- Rules are configured in Google Admin console > Rules. These rules are advanced settings related to DLP, such as adding a watermark, blocking the download of files with social security numbers, and URL filtering.
For details on creating policies and rules in the Google Workspace Admin console, see the following topics:
Google Chrome
Managed Chrome profiles: All end users must access Chrome using a managed profile. Managed profiles ensure that Chrome policies, extensions, and security settings are enforced on user devices.
Synchronize user directory configured in Citrix Workspace with the Google Cloud user directory
You must synchronize the user directory configured in Citrix Workspace or StoreFront with the Google Cloud user directory. Specifically the following user directories are supported:
- Active Directory
- Microsoft Entra ID (previously known as Azure Active Directory)
Note that user directory synchronization must occur periodically to ensure that application access is appropriately enforced.
Populate email address fields
The Google Cloud user directory requires the email address field to be populated. To be synchronized with Google Cloud user directory, a user or group object in Secure Private Access must have an email address. Otherwise, synchronization fails.
Ensure that all users that require access to the integrated Chrome Enterprise Premium and Secure Private Access offering, as well as all groups involved in access security policies have the email address field populated. The email address domain part must be a domain that is configured and verified in your Google Admin console.
Active Directory sync
You must synchronize your AD with the Google Cloud user directory to ensure seamless integration and consistent user management across your enterprise using the Google Cloud Directory Sync.
For details on how to sync your AD with Google Cloud to include custom AD fields under the custom schema “Citrix-schema”, see To sync your AD with Google Cloud.
Microsoft Entra ID
You must synchronize your Microsoft Entra ID with the Google Cloud user directory for user and group management across both Google and Microsoft cloud platforms. For details, see Get started with Directory Sync.
For more information, see Google Directory sync.