Authenticate

Smart cards

Citrix Workspace app for Android supports authentication through Citrix Gateway using the following methods, depending on your edition:

  • No authentication (Standard and Enterprise versions only)
  • Domain authentication
  • SMS Passcode (one-time PIN) authentication
  • Smart card authentication

Citrix Workspace app for Android now supports the following products and configurations.

Smart card readers:

  • BaiMobile 3000MP USB Smart Card Reader

Smart cards:

  • PIV cards
  • Common Access Cards

Configurations:

  • Smart card authentication to Citrix Gateway with StoreFront 2 or 3 and Citrix Virtual Apps and Desktops 7.x and later.

Notes:

  • Other token‑based authentication solutions can be configured using RADIUS. For SafeWord token authentication, see Configuring SafeWord Authentication.
  • Fast smart card does not currently support Elliptic Curve Cryptography (ECC) smart cards.

How to use smart cards

Prerequisite

To use smart cards to access apps:

  1. If you want to configure Citrix Workspace app automatically to access apps when you create an account, in the Address field, enter the valid URL of your store. For example:

    • .organization.com
    • netscalervserver.organization.com
  2. Insert the smart card along with the supported reader to your Android device. The Citrix Workspace app automatically detects the smart card.

    smart card

  3. Select the Use Smartcard option to authenticate.

Note:

  • Your access to the store stays valid for approximately one hour. After that time, you must sign in to refresh your access or start other apps.

Support for FIDO2-based authentication when connecting to HDX session

Starting with the 23.8.0 version, Citrix Workspace app for Android now supports password-less authentication within a Citrix Virtual Apps and Desktops session using FIDO2-based authentication methods.

This feature allows users to sign in to a WebAuthn-supported website in browsers. For example, Google Chrome or Microsoft Edge using FIDO2-supported platform authenticators such as fingerprint, and device PIN. Simply opening a WebAuthn-supported website triggers password-less authentication.

Signing in to the Citrix Workspace app or desktop session using password-less authentication isn’t supported on FIDO 2.

Note:

Roaming authenticators such as YubiKey, or Smart Card aren’t supported in Citrix Workspace app for Android.

For more information about the prerequisites for this feature, see Local authorization and virtual authentication using FIDO2 in the Citrix Virtual Apps and Desktops documentation.

Inactivity timeout for Citrix Workspace app sessions

The administrator can specify the amount of idle time that is allowed. After the time-out value, an authentication prompt appears.

For more information, see Inactivity timeout for Citrix Workspace app sessions.

Support for biometric authentication after inactivity

After the inactivity timer expires, the end user is asked to authenticate themselves using biometric features such as facial recognition and fingerprint scanning.

The most robust form of biometric authentication available to the end user depends on the OEM of their device, and they are prompted accordingly.

Support for authentication using FIDO2 when connecting to a cloud store

Starting with the 24.5.0 version, users can authenticate to Citrix Workspace app using FIDO2-based password‑less authentication when connecting to a cloud store. FIDO2 offers a seamless authentication method, allowing enterprise employees to access apps and desktops within virtual sessions without the need to enter user name or password. This feature supports both roaming (USB only) and platform authenticators (PIN code, Face recognition, and Fingerprint only). This feature is compatible with Android version 9 and later.

FIDO2 authentication is supported with the Chrome custom tabs. If you are interested to use FIDO2 authentication with WebView, register your interest using the Google form.

Note:

This feature is enabled by default.

User-Agent

Citrix Workspace app sends a User-Agent string in network requests that can be used to configure authentication policies including redirection of authentication to other Identity Providers (IdPs).

Note:

The version numbers mentioned as part of the User-Agent in the following table are examples and it is automatically updated based on the versions that you are using.

Scenario Android Phone (WebView) Android Phone (Custom Chrome Tab) Android Tablet (WebView) Android Tablet (Custom Chrome Tab) Android Samsung DeX Android Zebra Phone Mode Android Zebra Dock Mode Android HoneyWell
Cloud store CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Mobile Safari/537.36 CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable Mozilla/5.0 (Linux; Android 13; SM-T875 Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/126.0.6478.133 Safari/537.36 CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable
Cloud store - SaaS and Web app CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable Mozilla/5.0 (Linux; Android 13; SM-T875 Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/126.0.6478.133 Safari/537.36 CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable
On-premises stores Format: CitrixReceiver/<App-version> Android/<OS-version> <os-build-id> CWACapable. Example: CitrixReceiver/23.6.5 Android/13 TP1A.220624.014.T875XXU2DVK3 CWACapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable VPNCapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable Format: CitrixReceiver/<App-version> Android/<OS-version> <os-build-id> CWACapable. Example: CitrixReceiver/23.6.5 Android/13 TP1A.220624.014.T875XXU2DVK3 CWACapable Format: CitrixReceiver/<App-version> Android/<OS-version> <os-build-id> CWACapable. Example: CitrixReceiver/23.6.5 Android/13 TP1A.220624.014.T875XXU2DVK3 CWACapable Format: CitrixReceiver/<App-version> Android/<OS-version> <os-build-id> CWACapable. Example: CitrixReceiver/23.6.5 Android/13 TP1A.220624.014.T875XXU2DVK3 CWACapable
On-premises stores with NetScaler Gateway CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable VPNCapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable
On-premises store with NetScaler Gateway and nFactor authentication CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable VPNCapable CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable
On-premises store with third party gateway NA NA NA NA NA NA NA NA