Authenticate
Smart cards
Citrix Workspace app for Android supports authentication through Citrix Gateway using the following methods, depending on your edition:
- No authentication (Standard and Enterprise versions only)
- Domain authentication
- SMS Passcode (one-time PIN) authentication
- Smart card authentication
Citrix Workspace app for Android now supports the following products and configurations.
Smart card readers:
- BaiMobile 3000MP USB Smart Card Reader
Smart cards:
- PIV cards
- Common Access Cards
Configurations:
- Smart card authentication to Citrix Gateway with StoreFront 2 or 3 and Citrix Virtual Apps and Desktops 7.x and later.
Notes:
- Other token‑based authentication solutions can be configured using RADIUS. For SafeWord token authentication, see Configuring SafeWord Authentication.
- Fast smart card does not currently support Elliptic Curve Cryptography (ECC) smart cards.
How to use smart cards
Prerequisite
- Install C4E app from play store to use smart cards. Contact email address: android@citrix.com for licenses.
To use smart cards to access apps:
-
If you want to configure Citrix Workspace app automatically to access apps when you create an account, in the Address field, enter the valid URL of your store. For example:
- .organization.com
- netscalervserver.organization.com
-
Insert the smart card along with the supported reader to your Android device. The Citrix Workspace app automatically detects the smart card.
-
Select the Use Smartcard option to authenticate.
Note:
- Your access to the store stays valid for approximately one hour. After that time, you must sign in to refresh your access or start other apps.
Support for FIDO2-based authentication when connecting to HDX session
Starting with the 23.8.0 version, Citrix Workspace app for Android now supports password-less authentication within a Citrix Virtual Apps and Desktops session using FIDO2-based authentication methods.
This feature allows users to sign in to a WebAuthn-supported website in browsers. For example, Google Chrome or Microsoft Edge using FIDO2-supported platform authenticators such as fingerprint, and device PIN. Simply opening a WebAuthn-supported website triggers password-less authentication.
Signing in to the Citrix Workspace app or desktop session using password-less authentication isn’t supported on FIDO 2.
Note:
Roaming authenticators such as YubiKey, or Smart Card aren’t supported in Citrix Workspace app for Android.
For more information about the prerequisites for this feature, see Local authorization and virtual authentication using FIDO2 in the Citrix Virtual Apps and Desktops documentation.
Inactivity timeout for Citrix Workspace app sessions
The administrator can specify the amount of idle time that is allowed. After the time-out value, an authentication prompt appears.
For more information, see Inactivity timeout for Citrix Workspace app sessions.
Support for biometric authentication after inactivity
After the inactivity timer expires, the end user is asked to authenticate themselves using biometric features such as facial recognition and fingerprint scanning.
The most robust form of biometric authentication available to the end user depends on the OEM of their device, and they are prompted accordingly.
Support for authentication using FIDO2 when connecting to a cloud store
Starting with the 24.5.0 version, users can authenticate to Citrix Workspace app using FIDO2-based password‑less authentication when connecting to a cloud store. FIDO2 offers a seamless authentication method, allowing enterprise employees to access apps and desktops within virtual sessions without the need to enter user name or password. This feature supports both roaming (USB only) and platform authenticators (PIN code, Face recognition, and Fingerprint only). This feature is compatible with Android version 9 and later.
FIDO2 authentication is supported with the Chrome custom tabs. If you are interested to use FIDO2 authentication with WebView, register your interest using the Google form.
Note:
This feature is enabled by default.
User-Agent
Citrix Workspace app sends a User-Agent string in network requests that can be used to configure authentication policies including redirection of authentication to other Identity Providers (IdPs).
Note:
The version numbers mentioned as part of the User-Agent in the following table are examples and it is automatically updated based on the versions that you are using.
Scenario | Android Phone (WebView) | Android Phone (Custom Chrome Tab) | Android Tablet (WebView) | Android Tablet (Custom Chrome Tab) | Android Samsung DeX | Android Zebra Phone Mode | Android Zebra Dock Mode | Android HoneyWell |
---|---|---|---|---|---|---|---|---|
Cloud store | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Mobile Safari/537.36 | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable | Mozilla/5.0 (Linux; Android 13; SM-T875 Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/126.0.6478.133 Safari/537.36 | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable |
Cloud store - SaaS and Web app | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable | Mozilla/5.0 (Linux; Android 13; SM-T875 Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/126.0.6478.133 Safari/537.36 | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable |
On-premises stores |
Format: CitrixReceiver/<App-version> Android/<OS-version> <os-build-id> CWACapable. Example: CitrixReceiver/23.6.5 Android/13 TP1A.220624.014.T875XXU2DVK3 CWACapable |
CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable |
Format: CitrixReceiver/<App-version> Android/<OS-version> <os-build-id> CWACapable. Example: CitrixReceiver/23.6.5 Android/13 TP1A.220624.014.T875XXU2DVK3 CWACapable |
Format: CitrixReceiver/<App-version> Android/<OS-version> <os-build-id> CWACapable. Example: CitrixReceiver/23.6.5 Android/13 TP1A.220624.014.T875XXU2DVK3 CWACapable |
Format: CitrixReceiver/<App-version> Android/<OS-version> <os-build-id> CWACapable. Example: CitrixReceiver/23.6.5 Android/13 TP1A.220624.014.T875XXU2DVK3 CWACapable |
On-premises stores with NetScaler Gateway | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable |
On-premises store with NetScaler Gateway and nFactor authentication | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/13 TP1A.220624.014.T875XXU2DWB2 CWACapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable | CitrixReceiver/24.7.0 Android/14 UP1A.231005.007.S901EXXS7DXBE CWACapable VPNCapable |
On-premises store with third party gateway | NA | NA | NA | NA | NA | NA | NA | NA |