Prerequisites for installing
System requirements and compatibility
Device requirements
Citrix Workspace app supports Android versions 9 and later.
For the best results, update Android devices to the latest Android operating system.
You can start Citrix Workspace app sessions from Workspace for Web, when the web browser is compatible with Workspace for Web. If you’re unable to start the session, configure your account through Citrix Workspace app directly.
Important:
If a Technical Preview version of Citrix Workspace app for Android is installed, uninstall it before installing the new version.
Server requirements
StoreFront:
-
StoreFront 2.6 or later
Provides direct access to StoreFront stores. Citrix Workspace app for Android also supports prior versions of StoreFront.
-
StoreFront configured with a Workspace for website
Provides access to StoreFront stores from a web browser. For limitations of this deployment, see the StoreFront documentation.
Enable the rewrite policies provided by Citrix Gateway.
Citrix Virtual Apps and Desktops (any of the following products):
- Citrix Virtual Apps 7.5 or later
- Citrix Virtual Apps and Desktops 7.x or later
Connections and certificates
Citrix Workspace app supports HTTP, HTTPS, and ICA-over-TLS connections to a Citrix Virtual Apps server through any one of the following configurations.
For LAN connections:
- StoreFront 2.6 or later
- XenApp Services (formerly Program Neighborhood Agent) site.
For secure remote connections (any of the following products):
TLS Certificates
When you secure remote connections using TLS, the mobile device does the following:
- Authenticates the remote gateway’s TLS certificate against a local store of trusted root certificate authorities.
- Automatically recognizes commercially issued certificates (such as Verisign and Thawte) provided the root certificate for the certificate authority exists in the local keystore.
Private (Self-signed) Certificates
When you install a private certificate on the remote gateway, make sure the root certificate of the organization’s certificate authority is installed on the mobile device. This configuration helps you to access Citrix resources successfully using Citrix Workspace app for Android.
Note:
When you can’t verify the gateway’s certificate upon connection, because the root certificate isn’t included in the local keystore, an untrusted certificate warning appears. If a user selects to continue through the warning, a list of applications is displayed. However, an application fails to launch.
Wildcard Certificates
Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app for Android supports wildcard certificates.
Intermediate Certificates and Citrix Gateway
If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. See the Knowledge Center article that matches your edition of the Citrix Gateway: CTX114146 and CTX124937
Joint Server Certificate Validation Policy
Citrix Workspace app for Android has a stricter validation policy for server certificates.
Important:
Before installing Citrix Workspace app for Android, confirm that the certificates at the server or Citrix Gateway are correctly configured as described here. Connections might fail if:
- the server or Citrix Gateway configuration includes a wrong root certificate.
- the server or Citrix Gateway configuration does not include all intermediate certificates.
- the server or Citrix Gateway configuration includes an expired or otherwise invalid intermediate certificate.
- the server or Citrix Gateway configuration includes a cross-signed intermediate certificate.
When validating a server certificate, Citrix Workspace app for Android uses all the certificates supplied by the server (or Citrix Gateway) when validating the server certificate. It then also verifies if the certificates are trusted. If the certificates aren’t all trusted, the connection fails.
This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.
The server (or Citrix Gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause the Citrix Workspace app for Android connection to fail.
Suppose that a Citrix Gateway is configured with these valid certificates. It’s recommended for customers who require stricter validation. They can enforce stricter validation by determining exactly which root certificate is used by Citrix Workspace app for Android:
- “Example Server Certificate”
- “Example Intermediate Certificate”
- “Example Root Certificate”
Then, Citrix Workspace app for Android verifies if all these certificates are valid. Citrix Workspace app for Android also verifies if it already trusts an “Example Root Certificate”. If Citrix Workspace app for Android does not trust “Example Root Certificate,” the connection fails.
Important
Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (“DigiCert” / “GTE CyberTrust Global Root,” and “DigiCert Baltimore Root” / “Baltimore CyberTrust Root”) that can validate the same server certificates.
On some user devices, both root certificates are available. On other devices, only one is available (“DigiCert Baltimore Root” / “Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the gateway, Citrix Workspace app for Android connections on those user devices fail. Consult the certificate authority’s documentation to determine which root certificate can be used. Also note that root certificates eventually expire, as do all certificates.
Note:
Some servers and Citrix Gateway never send the root certificate, even if configured. Stricter validation is then not possible.
Now suppose that a gateway is configured by using these valid certificates. This configuration, without the root certificate, is normally recommended:
- “Example Server Certificate”
- “Example Intermediate Certificate”
Citrix Workspace app for Android uses these two certificates. It then searches for a root certificate on the user device. If it finds one that validates correctly, and is also trusted, such as “Example Root Certificate”, the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app for Android needs, but also allows Citrix Workspace app for Android to choose any valid, trusted, root certificate.
Now suppose that a Citrix Gateway is configured by using these certificates:
- “Example Server Certificate”
- “Example Intermediate Certificate”
- “Wrong Root Certificate”
Citrix Workspace app for Android reads the wrong root certificate, and the connection fails.
Some certificate authorities use more than one intermediate certificate. In this case, the Citrix Gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:
- “Example Server Certificate”
- “Example Intermediate Certificate 1”
- “Example Intermediate Certificate 2”
Some certificate authorities use a cross-signed intermediate certificate. It’s intended for situations when more than one root certificate is found, and an earlier root certificate is still in use at the same time as a later root certificate. In this case, there are at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “Verisign Class 3 Public Primary Certification Authority - G5.”
However, a corresponding later root certificate “Verisign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority.” The later root certificate does not use a cross-signed intermediate certificate.
The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But, the cross-signed intermediate certificate has a different Issuer name (Issued By). It differentiates the cross-signed intermediate certificate from an ordinary intermediate certificate (such as “Example Intermediate Certificate 2”).
This configuration, without the root certificate and the cross-signed intermediate certificate, is normally recommended:
- “Example Server Certificate”
- “Example Intermediate Certificate”
Avoid configuring the Citrix Gateway to use the cross-signed intermediate certificate, because it selects the earlier root certificate:
- “Example Server Certificate”
- “Example Intermediate Certificate”
- “Example Cross-signed Intermediate Certificate” [not recommended]
It isn’t recommended to configure the Citrix Gateway by using only the server certificate:
- “Example Server Certificate”
When Citrix Workspace app for Android can’t locate all the intermediate certificates, the connection fails.