Citrix Secure Private Access for mobile devices
The Citrix Secure Private Access deployments are supported for mobile devices starting with Secure Access Client version 25.08.1 for iOS. Mobile users can access corporate applications and web resources under the Secure Private Access zero-trust model, providing the same security controls, policy enforcement, and seamless experience as desktop users.
Supported versions and platforms
- CSA Client: iOS 25.08.1 (Available on App Store)
- iOS OS version: Minimum iOS 16
-
Deployment models
- Secure Private Access for cloud deployments
- Secure Private Access for hybrid deployments
Supported features
For Secure Private Access deployments, resource access is controlled through policy configuration. Administrators can define policies specifying which users or groups can access particular applications and resources, under specific conditions and from approved devices or locations.
- Access to web, SaaS, and TCP/UDP applications according to your Secure Private Access policy conditions.
- Session security policies: Clipboard restrictions, downloads, uploads, printing, screen capture, Watermarking with Chrome Enterprise Premium.
For the complete list of supported features, see Citrix Secure Access client features supported in NetScaler Gateway.
Prerequisites
The Secure Private Access service must be configured and up‑to‑date. For details, see the following topics:
- Get started with Citrix Secure Private Access
- Secure Private Access onboarding and set up
- Apps configuration and management
Workflow for iOS users with Citrix Secure Access client
The following steps summarize the Secure Private Access flow for users on iOS devices with Citrix Secure Access client version 25.08.1 and later.
- Citrix Secure Access client installation: The Citrix Secure Access client must be installed on the mobile device. This can be achieved through Mobile Device Management (MDM) for corporate devices, or manually by the user downloading the application from the device’s app store.
- Access workspace/gateway URL: The user then accesses the designated workspace or gateway URL. This URL serves as the entry point for accessing the organization’s resources.
- User authentication: The user is prompted to authenticate their identity. This typically involves entering credentials such as a user name and password, or using multifactor authentication (MFA) methods.
-
Policy evaluation and access grant:
- Policy satisfied: If the user’s authentication and device posture satisfy the defined security policies, access is granted. This allows the user to access authorized web, SaaS, and private web applications.
- Policy failed: If the user fails to meet the policy requirements (for example, outdated operating system, unapproved device, incorrect credentials), access is either restricted or entirely denied, depending on the policy configuration.
-
Enforced session protections: Once access is granted, session protections are enforced as per the Chrome Enterprise Premium policy. For example:
- Clipboard restrictions: Preventing copying and pasting sensitive data outside the secure session.
- Download restrictions: Controlling or blocking the download of files to the local device.
- Screenshot restrictions: Preventing users from taking screenshots of sensitive content within the secure session.