Administrator tasks and considerations

This article discusses the tasks and considerations that are relevant for administrators of Citrix Workspace app for iOS.

Feature flag management

If an issue occurs with Citrix Workspace app in production, we can disable an affected feature dynamically in Citrix Workspace app even after the feature is shipped. To do so, we use feature flags and a third-party service called LaunchDarkly. You do not need to make any configurations to enable traffic to LaunchDarkly, except when you have a firewall or proxy blocking outbound traffic. In that case, you enable traffic to LaunchDarkly via specific URLs or IP addresses, depending on your policy requirements.

You can enable traffic and communication to LaunchDarkly in the following ways:

Enable traffic to the following URLs


List IP addresses in an allow list

If you must list IP addresses in an allow list, for a list of all current IP address ranges, see LaunchDarkly public IP list. You can use this list to ensure that your firewall configurations are updated automatically in keeping with the infrastructure updates. For details about the status of the infrastructure changes, see the LaunchDarkly Status page.

LaunchDarkly system requirements

Ensure that the apps can communicate with the following services if you have split tunneling on Citrix ADC set to OFF for the following services:

  • LaunchDarkly service.
  • APNs listener service

Save passwords

Using the Citrix Web Interface Management console, you can configure the authentication method to allow users to save their passwords. When you configure the user account, the encrypted password is saved until the first time the user connects. Consider the following:

  • If you enable password saving, Citrix Workspace app for iOS stores the password on the device for future logons and does not prompt for passwords when users connect to applications.


    The password is stored only if users enter a password when creating an account. If no password is entered for the account, no password is saved, regardless of the server setting.

  • If you disable password saving (default setting), Citrix Workspace app for iOS prompts users to enter passwords every time they connect.


For StoreFront direct connections, password saving is not available.

To override password saving

If you configure the server to save passwords, users who prefer to require passwords at logon can override password saving:

  • When creating the account, leave the password field blank.
  • When editing an account, delete the password and save the account.

Use the Save Password feature

Citrix Workspace app for iOS has a feature that streamlines the connection process by allowing you to save your password, which eliminates the extra step of having to authenticate a session every time you open Citrix Workspace app for iOS.


The save password functionality currently supports the PNA protocol. It does not support StoreFront native mode. However, this functionality works when StoreFront enables PNA legacy mode.

Configure StoreFront

To configure StoreFront to enable the save password functionality:

  1. If you are configuring an existing Store, go to step 3.

  2. To configure a new StoreFront deployment, follow the best practices described in Install, setup, and uninstall Citrix StoreFront.

  3. Open the Citrix StoreFront management console. Ensure the base URL uses HTTPS and is the same as the common name specified when generating your SSL certificate.

  4. Select the Store you want to configure.

  5. Click Configure XenApp Service Support.

  6. Enable XenApp Service support, select the Default store (optional), and Click OK.

  7. Navigate to the template configuration file located at c:\inetpub\wwwroot\Citrix\<store name>\Views\PnaConfig\.

  8. Make a backup of Config.aspx.

  9. Open the original Config.aspx file.

  10. Edit the line <EnableSavePassword>false</EnableSavePassword> to change the false value to true.

  11. Save the edited Config.aspx file.

  12. On the StoreFront server, run PowerShell with administrative rights.

  13. In the PowerShell console:

    a. cd “c:\Program Files\Citrix\Receiver StoreFront\Scripts”

    b. Type “Set-ExecutionPolicy RemoteSigned”

    c. Type “.\ImportModules.ps1”

    d. Type “Set-DSServiceMonitorFeature –ServiceUrl” https://localhost:443/StorefrontMonitor

  14. If you have a StoreFront group, run the same commands on all the members in the group.

Configure Citrix Gateway to save passwords


This configuration uses Citrix Gateway load balance servers.

To configure Citrix Gateway to support the save password functionality:

  1. Log in to the Citrix Gateway management console.

  2. Follow the Citrix best practices to create a certificate for your load balance virtual servers.

  3. On the configuration tab, navigate to Traffic Management -> Load Balancing -> Servers and click Add.

  4. Enter the server name and IP address of the StoreFront server.

  5. Click Create. If you have a StoreFront group, repeat step 5 for all the servers in the group.

  6. On the configuration tab, navigate to Traffic Management > Load Balancing > Monitor and click Add.

  7. Enter a name for the monitor. Select STOREFRONT as the Type. At the bottom of the page, select Secure (required since the StoreFront server is using HTTPS).

  8. Click the Special Parameters Tab. Enter the StoreFront name configured earlier, and select the Check Backed Services and click Create.

  9. On the Configuration tab navigate to Traffic Management > Load Balancing > Service Groups and click Add.

  10. Enter a name for your Service Group and set the protocol to SSL and click Ok.

  11. On the right-hand of the screen under Advanced Settings, select Settings.

  12. Enable Client IP and enter the following for the Header value: X-Forwarded-For and click OK.

  13. On the right-hand of the screen under Advanced Settings, select Monitors. Click the arrow to add new monitors.

  14. Click the Add button and then select the Select Monitor drop-down menu. A list of monitors (those configured on Citrix Gateway) appears.

  15. Click the radio button beside the monitors you created earlier and click Select, then click Bind.

  16. On the right-hand of the screen (under Advanced Settings), select Members. Click the arrow to add new service group members.

  17. Click the Add button and then select the Select Member drop-down menu.

  18. Select the Server Based radio button. A list of server members (those configured on Citrix Gateway) appears. Click the radio button beside the StoreFront servers you created earlier.

  19. Enter 443 for the port number and specify a unique number for the Hash ID, then click Create, then click Done. If everything has been configured properly, the Effective State should show a green light, indicating that monitoring is functioning properly.

  20. Navigate to Traffic Management -> Load Balancing -> Virtual Servers and click Add. Enter a name for the server and select SSL as the protocol.

  21. Enter the IP address for the StoreFront load-balanced server and click OK.

  22. Select the Load Balancing Virtual Server Service Group binding, click the arrow then add the Service Group created previously. Click OK twice.

  23. Assign the SSL certificate created for the Load Balance virtual server. Select No Server Certificate.

  24. Select the Load Balance server certificate from the list and click Bind.

  25. Add the domain certificate to the Load Balance Server. Click No CA certificate.

  26. Select the domain certificate and click Bind.

  27. On the right side of the screen, select Persistence.

  28. Change the Persistence to SOURCEIP and set the time-out to 20. Click Save, then click Done.

  29. On your domain DNS server, add the load balance server (if not already created).

  30. Launch Citrix Workspace app for iOS on your iOS device and enter the full XenApp URL.

Content Collaboration Service integration

Citrix Content Collaboration enables you to easily and securely exchange documents, send large documents by email, securely handle document transfers to third parties, and access a collaboration space. Citrix Content Collaboration provides many ways to work, including a web-based interface, mobile clients, desktop apps, and integration with Microsoft Outlook and Gmail.

You can access Citrix Content Collaboration functionality from the Citrix Workspace app using the Files tab displayed within Citrix Workspace app. You can view the Files tab only if Content Collaboration Service is enabled in the Workspace configuration in the Citrix Cloud console.


Citrix Content Collaboration integration in Citrix Workspace app is not supported on Windows Server 2012 and Windows Server 2016 due to a security option set in the operating system.

The following image displays example contents of the Files tab of the new Citrix Workspace app:



  • Resetting Citrix Workspace app does not cause Citrix Content Collaboration to log off.
  • Switching stores in Citrix Workspace app does not cause Citrix Content Collaboration to log off.

Customer Experience Improvement Program (CEIP)

Data Collected Description What we Use it for
Configuration and usage data The Citrix Customer Experience Improvement Program (CEIP) gathers configuration and usage data from Workspace app for iOS and automatically sends the data to Google Firebase. This data helps Citrix improve the quality, reliability, and performance of Workspace app.

Additional Information

Citrix will handle your data in accordance with the terms of your contract with Citrix, and protect it as specified in the Citrix Services Security Exhibit available on the Citrix Trust Center.

Citrix uses Google Firebase to collect certain data from Citrix Workspace app as part of CEIP. Please review how Google handles data collected for Google Firebase.

You may turn off sending CEIP data to Citrix and Google Firebase. To do this:

  1. Open Citrix Workspace app for iOS.
  2. Tap Home > Settings.
  3. Navigate to the General section.
  4. Disable the Send Usage Statistics option.

The specific CEIP data elements collected by Google Firebase are:

Session information and session launch method Citrix stores and store configuration Auth type and authentication configuration ICA connections
HDX session launch Store app session WebView action open WebView action copy
WebView action share Workspace app review Connection status, connection error, connection center usage External display
Socket status Session duration HDX over UDP Session launch time
Device information Device model info Send usage statistics App language, Workspace app language
Keyboard language Citrix store type Citrix store combination Store protocol type
Store count HDX UDP status RSA token installations  

Citrix Ready workspace hub

The Citrix Ready workspace hub combines digital and physical environments to deliver apps and data within a secure smart space. The complete system connects devices (or things), like mobile apps and sensors, to create an intelligent and responsive environment.

Citrix Ready workspace hub is built on the Raspberry Pi 3 platform. The device running Citrix Workspace app connects to the Citrix Ready workspace hub and casts the apps or desktops on a larger display.

For more information about Citrix Ready workspace hub, see Citrix Ready workspace hub documentation.

Citrix Ready workspace hub supports a Secure Sockets Layer (SSL) connection between mobile devices and the hub for security purposes. Set a Fully Qualified Domain Name (FQDN) either manually or automatically to uniquely identify each device. For more information, see Security connection in the Citrix Ready workspace hub documentation.

Citrix Ready workspace hub is enabled on Citrix Workspace app when all the following system requirements are met:

  • Citrix Workspace app 1810.1 for iOS or later
  • Bluetooth enabled
  • Mobile device and workspace hub using the same Wi-Fi network


To turn on Citrix Ready workspace hub features, go to Settings and tap Citrix Casting to enable the feature on your device. For more information, see the help documentation for the iOS devices.

Citrix Workspace app integrates a new procedure for adding or removing a workspace hub from the trusted list on iOS devices. For more information, see Security Connection.

Known limitation

  • On VDA 7.18 and earlier, casting to a workspace hub requires the desktop or other resource you are using to have the .h264 full-screen policy enabled and the legacy graphics policy to be disabled.

Session sharing

When users log off from a Citrix Workspace app for iOS account, if there are still connections to applications or desktops, they have the option to disconnect or log off:

  • Disconnect: Logs off from the account but leaves the Windows application or desktop running on the server. The user can then start another device, launch Citrix Workspace app for iOS, and reconnect to the last state before disconnecting from the iOS device. This option allows users to reconnect from one device to another device and resume working in running applications.
  • Log off: Logs off from the account, closes the Windows application, and logs off from the Citrix Virtual Apps and Desktops server. This option allows users to disconnect from the server and log off from the account. When they launch Citrix Workspace app for iOS again, it opens in the default state.

Workspace with intelligence

Starting with the 1911 release, the app is optimized to take advantage of the upcoming intelligent features when they are released. For more information, see Workspace Intelligence Features - Microapps.

iOS 13 and iPadOS support

Citrix Workspace app for iOS is supported on iOS 13 and iPadOS, including multitasking support on iPadOS.


  • The CR01 app is not supported on iOS 13. If you are using the CR01 app, Citrix recommends that you do not upgrade to iOS 13.

  • If you use the SHA-1 certificate chain, you might need to switch to the SHA-2 certificate chain. SHA-1 signed certificates are no longer trusted on iOS 13. For more information on TLS server certificates, see Requirements for trusted certificates in iOS 13 and macOS 10.15.

  • In iOS 13, launching sessions from the Safari web browser has changed. For more information, see the help documentation.

With support for AssistiveTouch, Citrix Workspace app for iOS now connects to the Citrix X1 Mouse differently. Citrix Workspace app no longer connects to the Citrix X1 Mouse at launch. Therefore, the Citrix X1 Mouse icon is no longer available on the toolbar next to the Settings icon. To see if access to a paired Citrix X1 Mouse is enabled for Citrix Workspace app, navigate to Settings > Citrix X1 Mouse.

Session roaming on iPad

Starting with 1906 release, session roaming is available on iPhone and iPad touch devices when using a cloud store. For more information, see the help documentation for iOS devices.

Keyboard layout synchronization

Keyboard layout synchronization enables users to switch preferred keyboard layouts on the client device. This feature is disabled by default.

To enable keyboard layout synchronization, go to Settings > Keyboard Options and enable the Keyboard Layout Sync option.


Using the local keyboard layout option activates the client IME (Input Method Editor). If you are working in Japanese, Chinese, or Korean language and prefer to use the server IME, disable the local keyboard layout option by clearing the option in Preferences > Keyboard.

Host to client redirection

Content redirection allows you to control whether users access information by using applications published on servers or applications running locally on user devices.

Host to client redirection is one type of content redirection. It is supported only on Server OS VDAs (not Desktop OS VDAs).

When host to client redirection is enabled, URLs are intercepted at the server VDA and sent to the user device. The web browser or multimedia player on the user device opens these URLs. If you enable host to client redirection and the user device fails to connect to a URL, the URL is redirected back to the server VDA. When host to client redirection is disabled, users open the URLs with web browsers or multimedia players on the server VDA. When host to client redirection is enabled, users cannot disable it.

Host to client redirection was previously known as server to client redirection.

For more information, see General content redirection.

Support for Purebred derived credentials

Starting with the 1810 release, Citrix Workspace app for iOS introduces support for Purebred derived credentials. When connecting to a Store that allows derived credentials, users can log on to Citrix Workspace app for iOS using a virtual smart card. This feature is supported only on on-premises deployments.


Citrix Virtual Apps and Desktops 7 1808 or later is required to use this feature.

For information on configuring derived credentials, see Derived credentials.