Configuration

Content Collaboration Service integration in Citrix Workspace app

Citrix Content Collaboration enables you to easily and securely exchange documents, send large documents by email, securely handle document transfers to third parties, and access a collaboration space. Citrix Content Collaboration provides many ways to work, including a web-based interface, mobile clients, desktop apps, and integration with Microsoft Outlook and Gmail.

You can access Citrix Content Collaboration functionality from the Citrix Workspace app using the Files tab displayed within Citrix Workspace app. You can view the Files tab only if Content Collaboration Service is enabled in the Workspace configuration in the Citrix Cloud console.

Note:

Citrix Content Collaboration integration in Citrix Workspace app is not supported on Windows Server 2012 and Windows Server 2016 due to a security option set in the operating system.

The following image displays example contents of the Files tab of the new Citrix Workspace app:

Files

Limitations:

  • Resetting Citrix Workspace app does not cause Citrix Content Collaboration to log off.
  • Switching stores in Citrix Workspace app does not cause Citrix Content Collaboration to log off.

Configure your environment

Citrix Workspace app for iOS supports the configuration of Web Interface for your Citrix Virtual Apps deployment. There are two types of Web Interface sites: XenApp Services sites and Citrix Virtual Apps and Desktops Sites. Web Interface sites enable client devices to connect to the server farm. Authentication between Citrix Workspace app for iOS and a Web Interface site can be handled using various solutions, including Citrix Secure Web Gateway.

Also, you can configure StoreFront to provide authentication and resource delivery services for Citrix Workspace app for iOS, enabling you to create centralized enterprise stores to deliver desktops, applications, and other resources to users.

For more information about configuring connections, including videos, blogs, and a support forum, see http://community.citrix.com.

Before your users access applications hosted in your Citrix Virtual Apps and Desktops deployment, configure the following components in your deployment as described here.

  • When publishing applications on your farms or sites, consider the following options to enhance the experience for users accessing those applications through StoreFront stores.

    • Ensure that you include meaningful descriptions for published applications because these descriptions are visible to users in Citrix Workspace app for iOS.
    • You can emphasize published applications for your mobile device users by listing the applications in the Featured list of Citrix Workspace app for iOS. To populate this list on Citrix Workspace app for iOS, edit the properties of applications published on your servers and append the KEYWORDS:Featured string to the value of the Application description field.
    • To enable the screen-to-fit mode that adjusts the application to the screen size of mobile devices, edit the properties of applications published on your servers and append the KEYWORDS:mobile string to value of the Application description field. This keyword also activates the auto-scroll feature for the application.
    • To automatically subscribe all users of a store to an application, append the KEYWORDS:Auto string to the description you provide when you publish the application in Citrix Virtual Apps. When users log on to the store, the application is automatically provisioned without users needing to manually subscribe to the application.
  • If the Web Interface of your Citrix Virtual Apps and Desktops deployment does not have a Web site or Citrix Virtual Apps and Desktops Site, create one. The name of the site and how you create it depends on the version of Web Interface you have installed. For instructions on how to create one of these sites, see the “Creating Sites” topic for your version of Web Interface.

Configure StoreFront

Important:

  • When using StoreFront, Citrix Workspace app for iOS supports Citrix Access Gateway Enterprise Edition versions from 9.3, and Citrix Gateway versions through 12.
  • Citrix Workspace app for iOS supports only XenApp Services sites on Web Interface.
  • Citrix Workspace app for iOS supports launching sessions from Workspace for Web, as long as the web browser works with Workspace for Web. If launches do not occur, configure your account through Citrix Workspace app for iOS directly. Users must manually open the ICA file using the browser Open in Workspace function. For the limitations of this deployment, see the StoreFront documentation.

With StoreFront, the stores you create consist of services that provide authentication and resource delivery infrastructure for Citrix Workspace app for iOS. Create stores that enumerate and aggregate desktops and applications from Citrix Virtual Apps and Desktops sites and Citrix Virtual Apps farms, making these resources available to users.

  1. Install and configure StoreFront. For details, see StoreFront in the Technologies > StoreFront section of Product Documentation. For administrators who need more control, Citrix provides a template you can use to create a download site for Citrix Workspace app for iOS.
  2. Configure stores for StoreFront as you would for other Citrix Virtual Apps and Desktops applications. No special configuration is needed for mobile devices. For details, see User Access Options in the StoreFront section of Product Documentation. For mobile devices, use either of these methods:
    • Provisioning files. You can provide users with provisioning files (.cr) containing connection details for their stores. After installation, users open the file on the device to configure Citrix Workspace app for iOS automatically. By default, Workspace for Web sites offer users a provisioning file for the single store for which the site is configured. Alternatively, you can use the Citrix StoreFront management console to generate provisioning files for single or multiple stores that you can manually distribute to your users.
    • Manual configuration. You can directly inform users of the Citrix Gateway or store URLs needed to access their desktops and applications. For connections through Citrix Gateway, users also need to know the product edition and required authentication method. After installation, users type these details into Citrix Workspace app for iOS, which attempts to verify the connection and, if successful, prompts users to log on.
    • Automatic configuration. Tap Add Account on the Welcome screen and type the URL of the StoreFront server in the address field. The configuration of the account happens automatically while the account is added.

To configure Citrix Gateway

If you have users who connect from outside the internal network (for example, users who connect from the internet of from remote locations), configure authentication through Citrix Gateway.

  • When using StoreFront, Citrix Workspace app for iOS supports Citrix Access Gateway Enterprise Edition versions from 9.3, and Citrix Gateway versions through 12.

To configure Citrix Workspace app for iOS to access apps

  1. If you want to configure Citrix Workspace app for iOS to automatically access apps when creating an account, in the Address field, type the matching URL of your store, such as storefront.organization.com.
  2. Select the Use Smartcard option when you are using a smart card to authenticate.
  3. For manual configuration (accessible by tapping Options>Manual Setup), continue by completing the remaining fields and select the Citrix Gateway authentication method, such as enabling the security token, selecting the type of authentication, and saving the settings.

Note:

Logons to the store are valid for about one hour. After that time, users must log on again to refresh or launch other applications.

Configure client certificate authentication

Important:

  • When using StoreFront, Citrix Workspace app for iOS supports Citrix Access Gateway Enterprise Edition versions from 9.3, and NetScaler Gateway versions through 11.
  • Client certificate authentication is supported by Citrix Workspace app for iOS.
  • Only Access Gateway Enterprise Edition 9.x and 10.x (and subsequent releases) support client certificate authentication.
  • Double-source authentication types must be CERT and LDAP.
  • Citrix Workspace app for iOS also supports optional client certificate authentication.
  • Only P12 formatted certificates are supported.

Users logging on to an Citrix Gateway virtual server can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, LDAP, to provide double-source authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on Citrix Gateway.

When users log on to the Citrix Gateway virtual server, after authentication, the user name and domain information is extracted from the specified field of the certificate. This information must be in the certificate’s SubjectAltName:OtherName:MicrosoftUniversalPrincipalName field. It is in the format “username@domain.”If the user name and domain are extracted successfully, and the user provides the other required information (for example, a password), then the user is authenticated. If the user does not provide a valid certificate and credentials, or if the username/domain extraction fails, authentication fails.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

To configure the XenApp Services site

If you do not already have a XenApp Services site created, in the Citrix Virtual Apps console or Web Interface console (depending on the version of Citrix Virtual Apps you have installed), create a XenApp Services site for mobile devices.

Citrix Workspace app for iOS for mobile devices uses a XenApp Services site to get information about the applications a user has rights to and presents them to the app running on the device. This is similar to the way you use the Web Interface for traditional SSL-based Citrix Virtual Apps connections for which an Citrix Gateway can be configured.

Configure the XenApp Services site for Citrix Workspace app for iOS for mobile devices to support connections from an Citrix Gateway connection.

  1. In the XenApp Services site, select Manage secure client access > Edit secure client access settings.
  2. Change the Access Method to Gateway Direct.
  3. Enter the FQDN of the Citrix Gateway appliance.
  4. Enter the Secure Ticket Authority (STA) information.

To configure the Citrix Gateway appliance

For client certificate authentication, configure Citrix Gateway with two-factor authentication using two authentication policies: Cert and LDAP.

  1. Create a session policy on Citrix Gateway to allow incoming Citrix Virtual Apps connections from Citrix Workspace app for iOS, and specify the location of your newly created XenApp Services site.
    • Create a session policy to identify that the connection is from Citrix Workspace app for iOS. As you create the session policy, configure the following expression and choose Match All Expressions as the operator for the expression:

      REQ.HTTP.HEADER User-Agent CONTAINS CitrixWorkspace

    • In the associated profile configuration for the session policy, on the Security tab, set Default Authorization to Allow.

      On the Published Applications tab, if this is not a global setting (you selected the Override Global check box), ensure that the ICA Proxy field is set to ON.

      In the Web Interface Address field, type the URL including the config.xml for the XenApp Services site that the device users use, such as //XenAppServerName/Citrix/PNAgent/config.xml or /XenAppServerName/CustomPath/config.xml.

    • Bind the session policy to a virtual server.

    • Create authentication policies for Cert and LDAP.

    • Bind the authentication policies to the virtual server.

    • Configure the virtual server to request client certificates in the TLS handshake (on the Certificate tab, open SSL Parameters, and for Client Authentication, set Client Certificate to Mandatory. Important: If the server certificate used on Citrix Gateway is part of a certificate chain (with an intermediate certificate), ensure that the intermediate certificates are also installed correctly on Citrix Gateway. For information about installing certificates, see Citrix Gateway documentation.

To configure the mobile device for Citrix Workspace app for iOS

If client certificate authentication is enabled on Citirx Gateway, users are authenticated based on certain attributes of the client certificate. After authentication is completed successfully, the user name and domain are extracted from the certificate and any policies specified for that user are applied.

  1. From Citrix Workspace app for iOS, open the Account, and in the Server field, type the matching FQDN of your Citrix Gateway server, such as GatewayClientCertificateServer.organization.com. Citrix Workspace app for iOS automatically detects that the client certificate is required.
  2. Users can either install a new certificate or choose one from the already installed certificate list. For iOS client certificate authentication, the certificate must be downloaded and installed by Citrix Workspace app for iOS only.
  3. After selecting a valid certificate, the user name and domain fields on the logon screen is prepopulated using the user name information from the certificate, and a user types the remaining details, including the password.
  4. If client certificate authentication is set to optional, users can skip the certificate selection by pressing Back on the certificates page. In this case, Citrix Workspace app for iOS proceeds with the connection and provides the user with the logon screen.
  5. After users complete the initial log on, they can start applications without providing the certificate again. Citrix Workspace app for iOS stores the certificate for the account and uses it automatically for future logon requests.

Configure Secure Web Gateway

To configure the XenApp Services site

Important:

  • Secure Web Gateway 3.x is supported by Citrix Workspace app for iOS using XenApp Services sites.
  • Secure Web Gateway 3.x is supported by Citrix Workspace app for iOS using Citrix Virtual Apps Web sites.
  • Only single-factor authentication is supported on XenApp Services sites, and both single-factor and dual factor are supported on Citrix Virtual Apps Web sites.
  • You must use Web Interface 5.4, which is supported by all built-in browsers.

Before beginning this configuration, install and configure Citrix Gateway to work with Web Interface. You can adapt these instructions to fit your specific environment.

If you are using a Secure Web Gateway connection, do not configure Citrix Gateway settings on Citrix Workspace app for iOS.

Citrix Workspace app for iOS uses a XenApp Services site to get information about the applications a user has rights to and presents them to Citrix Workspace app for iOS running on the device. This is similar to the way you use the Web Interface for traditional SSL-based Citrix Virtual Apps connections for which an Citrix Gateway can be configured. XenApp Services sites running on the Web Interface 5.x have this configuration ability built in.

Configure the XenApp Services site to support connections from a Secure Web Gateway connection:

  1. In the XenApp Services site, select Manage secure client access > Edit secure client access settings.
  2. Change the Access Method to Gateway Direct.
  3. Enter the FQDN of the Secure Web Gateway.
  4. Enter the Secure Ticket Authority (STA) information.

Note:

For the Secure Web Gateway, Citrix recommends using the Citrix default path for this site (//XenAppServerName/Citrix/PNAgent). The default path enables your users to specify the FQDN of the Secure Web Gateway they are connecting to instead of the full path to the config.xml file that resides on the XenApp Services site (such as //XenAppServerName/CustomPath/config.xml).

To configure the Secure Web Gateway

  1. On the Secure Web Gateway, use the Secure Web Gateway Configuration wizard to configure the Secure Web Gateway to work with the server in the secure network hosting the XenApp Service site. After selecting the Indirect option, enter the FQDN path of your Secure Web Gateway Server and continue the wizard steps.
  2. Test a connection from a user device to verify that the Secure Web Gateway is configured correctly for networking and certificate allocation.

To configure the mobile device for Citrix Workspace app for iOS

  1. When adding a Secure Web Gateway account, enter the matching FQDN of your Secure Web Gateway server in the Address field:
    • If you created the XenApp Services site using the default path (/Citrix/PNAgent), enter the Secure Web Gateway FQDN: FQDNofSecureGateway.companyName.com
    • If you customized the path of the XenApp Services site, enter the full path of the config.xml file, such as: FQDNofSecureGateway.companyName.com/CustomPath/config.xml
  2. If you are manually configuring the account, then turn off the Citrix Gateway option New Account dialog.

Configure Web Interface

To configure the Web Interface site

Users with iPhone and iPad devices can launch applications through your Web Interface site and the built-in Safari browser on the mobile device. Configure the Web Interface site the same as you would for other Citrix Virtual Apps applications. If no XenApp Services site is configured for the mobile device, Citrix Workspace app for iOS automatically uses your Web Interface site. No special configuration is needed for mobile devices.

Web Interface 5.x is supported by the built-in Safari browser.

To launch applications on the iOS device

On the mobile device, users can log on to the Web Interface site using their normal logon and password.

Configure mobile devices automatically

In StoreFront, use the Export Multi-Store Provisioning File and Export Provisioning File tasks to generate files containing connection details for stores, including any Citrix Gateway deployments and beacons configured for the stores. Make these files available to users to enable them to configure Citrix Workspace app for iOS automatically with details of the stores. Users can also obtain Citrix Workspace app for iOS provisioning files from Workspace for Web sites.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.

  1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile. Select the Stores node in the left pane of the Citrix StoreFront management console.
  2. To generate a provisioning file containing details for multiple stores, in the Actions pane, click Export Multi-Store Provisioning File and select the stores to include in the file.
  3. Click Export and Save the provisioning file with a .cr extension to a suitable location on your network.

Configure accounts manually

In general, when Citrix Workspace app for iOS connects to Citrix Gateway, Citrix Workspace app for iOS attempts to locate a XenApp Services site or Citrix Virtual Apps Web site after authenticating. If no site is detected, Citrix Workspace app for iOS displays an error. To avoid this situation, you can configure an account manually so Citrix Workspace app for iOS can connect to Citrix Gateway.

  1. Tap the Accounts icon in the upper right corner and then in the Accounts screen, tap the Plus Sign (+). The New Account screen appears.
  2. In the lower left corner of the screen, tap the icon to the left of Options and tap Manual setup. Additional fields appear on the screen.
  3. In the Address field, type the secure URL of the site or Citrix Gateway to which you want to connect (for example, agee.mycompany.com).
  4. Select one of the following connection options. The remaining fields on the screen change, depending on your selection.
    • Web Interface - Select for Citrix Workspace app for iOS to display a Citrix Virtual Apps Web site similar to a Web browser. This is also known as Web View.
    • XenApp Services - Select for Citrix Workspace app for iOS to locate a specific XenApp Services site for which authentication through Citrix Gateway is not configured. In the additional options that appear on this screen, provide site logon credentials.
      • <StoreFront FQDN>: If there are multiple stores, a list will be presented and the user can choose the store to add.
      • <StoreFront FQDN>/citrix/<Store Name>: This will add the StoreFront store <Store Name>.
      • <StoreFront FQDN>/citrix/PnAgent/config.xml: This will add the default legacy PNAgent store.
      • <StoreFront FQDN>/citrix/<Store Name>/PnAgent/config.xml: This will add the legacy PNAgent store associated with <Store Name>.
    • Citrix Gateway - Select for Citrix Workspace app for iOS to connect to a XenApp Services site through a specific Citrix Gateway. In the additional options on this screen, select the server edition and its logon credentials, including whether it requires a security token for authentication.
  5. For certificate security, use the setting in the Ignore certificate warnings field to determine whether you want to connect to the server even if it has an invalid, self-signed, or expired certificate. The default setting is OFF. Important: If you do enable this option, make sure you are connecting to the correct server. Citrix strongly recommends that all servers have a valid certificate to protect user devices from online security attacks. A secure server uses an SSL certificate issued from a certificate authority. Citrix does not support self-signed certificates and does not recommend by-passing the certificate security.
  6. Tap Save.
  7. Type your user name and password (or token, if you selected two-factor authentication), and then tap Log On. The Citrix Workspace app for iOS screen appears, in which you can access your desktops and add and open your apps.

Configure derived credentials

Support for Purebred derived credentials within Citrix Workspace app for iOS is available. When connecting to a Store that allows derived credentials, users can log on to Citrix Workspace app for iOS using a virtual smart card. This feature is supported only on on-premises deployments.

Note:

Citrix Virtual Apps and Desktops 7 1808 or later is required to use this feature.

To enable derived credentials in Citrix Workspace app for iOS:

  1. Go to Settings > Advanced > Derived Credentials.
  2. Tap Use Derived Credentials.

Then, to create a virtual smart card to use with derived credentials:

  1. In Settings > Advanced > Derived Credentials, tap Add New Virtual Smart Card.
  2. Edit the name of the virtual smart card.
  3. Enter an 8-digit numeric-only PIN and confirm.
  4. Tap Next.
  5. Under Authentication Certificate, tap Import Certificate…
  6. The document picker displays. Tap Browse.
  7. Under Locations, select Purebred Key Chain.
  8. Select the desired authentication certificate from the list.
  9. Tap Import Key.
  10. Repeat steps 5-9 for the Digital Signature Certificate and the Encryption Certificate, if desired.
  11. Tap Save.

You can import up to three certificates for your virtual smart card. The authentication certificate is required for the virtual smart card to work properly. The encryption certificate and digital signature certificate can be added for use inside of a VDA session.

Note:

When connecting to an HDX session, the created virtual smart card is redirected into the session.

Known limitations

  • Users can only have one active card at a time.
  • Once a virtual smart card is created, it cannot be edited. To make changes to the virtual smart card, users must delete the card and create a new card.
  • A PIN can be invalid up to 10 times. After the 10th attempt, the virtual smart card gets deleted.
  • When derived credentials are selected, the created virtual smart card overrides a physical smart card when a smart card is needed in a session.

Configure Citrix Ready workspace hub

Citrix Ready workspace hub is enabled on Citrix Workspace app when all the following system requirements are met:

  • Citrix Workspace app 1810.1 for iOS or later
  • Bluetooth enabled
  • Mobile device and workspace hub using the same Wi-Fi network

Configure

To turn on Citrix Ready workspace hub features, go to Settings and tap Workspace Hub to enable the feature on your device.

Known Limitations

  • Roaming sessions are limited to iPhone devices connecting to on-premises stores.
  • On VDA 7.18 or earlier, casting to a workspace hub requires that the resource/desktop you are using has the .h264 full screen policy enabled and the legacy graphics policy is disabled.