Deploy

Provide access information to end users for iOS devices

You must provide users with the Citrix Workspace app for iOS account information they need to access their hosted their applications, desktops, and data. You can provide this information by:

  • Configuring email-based account discovery
  • Providing users with a provisioning file
  • Providing users with account information to enter manually

Configure email-based account discovery

You can configure Citrix Workspace app for iOS to use email-based account discovery. When configured, users enter their email address rather than a server URL during initial Citrix Workspace app for iOS installation and configuration. Citrix Workspace app for iOS determines the Access Gateway or StoreFront server, or AppController virtual appliance associated with the email address based on Domain Name System (DNS) Service (SRV) records and then prompts the user to log on to access their hosted applications, desktops, and data.

Note:

Email-based account discovery is not supported if Citrix Workspace app for iOS is connecting to a Web Interface deployment.

Provide users with a provisioning file

You can use StoreFront to create provisioning files containing connection details for accounts. You make these files available to your users to enable them to configure Citrix Workspace app for iOS automatically. After installing Citrix Workspace app for iOS, users simply open the .cr file on the device to configure Citrix Workspace app for iOS. If you configure Workspace for Web sites, users can also obtain Citrix Workspace app for iOS provisioning files from those sites.

For more information, see the StoreFront documentation.

Provide users with account information to enter manually

If providing users with account details to enter manually, ensure you distribute the following information to enable them to connect to their hosted and desktops successfully:

  • The StoreFront URL or XenApp Services site hosting resources; for example: servername.company.com.

  • For access using Citrix Gateway, provide the Citrix Gateway address and required authentication method.

When a user enters the details for a new account, Citrix Workspace app for iOS attempts to verify the connection. If successful, Citrix Workspace app for iOS prompts the user to log on to the account.

Session sharing

When users log off from a Citrix Workspace app for iOS account, if there are still connections to applications or desktops, they have the option to disconnect or log off:

  • Disconnect: Logs off from the account, but leaves the Windows application or desktop running on the server, and the user can then start another device, launch Citrix Workspace app for iOS, and reconnect to the last state before disconnecting from the iOS device. This option allows users to reconnect from one device to another device and resume working in running applications.
  • Log off: Logs off from the account, closes the Windows application, and logs off from the Citrix Virtual Apps and Desktops server. This option allows users to disconnect from the server and log off the account; when they launch Citrix Workspace app for iOS again, it opens in the default state.

Provide RSA SecurID authentication for iOS devices

RSA SecurID authentication for Citrix Workspace app for iOS is supported for Secure Web Gateway configurations (through the Web Interface only) and all Citrix Gateway configurations.

URL scheme required for the software token on Citrix Workspace app for iOS: The RSA SecurID software token used by Citrix Workspace app for iOS registers the URL scheme com.citrix.securid only.

If users have installed both the Citrix Workspace app for iOS app and the RSA SecurID app on their iOS device, users must select the URL scheme “com.citrix.securid” to import the RSA SecurID Software Authenticator (software token) to Citrix Workspace app for iOS on their devices.

To import an RSA SecurID soft token into Citrix Workspace app for iOS

To use an RSA Soft Token with the Citrix Workspace app for iOS, have your users follow this procedure.

The policy for PIN length, type of PIN (numeric only, alphanumeric), and limits on PIN reuse are specified on the RSA administration server.

Your users should only need to do this once, after they have successfully authenticated to the RSA server. After your users verify their PINs, they are are also authenticated with the StoreFront server, and it presents available, published applications and desktops.

To use an RSA soft token with Citrix Workspace app for iOS

  1. Import the RSA soft token provided to you by your organization.

  2. From the email with your SecurID file attached, select Open in Workspace as the import destination. After the soft token is imported, Citrix Workspace app for iOS opens automatically.

  3. If your organization provided a password to complete the import, enter the password provided to you by your organization and click OK. After clicking OK, you will see a message that the token was successfully imported.

  4. Close the import message, and in Citrix Workspace app for iOS, click the Add Account.

  5. Enter the URL for the Store provided by your organization and click Next.

  6. On the Log On screen, enter your credentials: user name, password, and domain. For the Pin field, enter 0000, unless your organization has provided you with a different default PIN. (The PIN 0000 is an RSA default, but your organization may have changed it to comply with their security policies.)

  7. At the top left, click Log On. After you click Log On, you are prompted to create a new PIN.

  8. Enter a PIN from 4 to 8 digits and click OK.

  9. You are then prompted to verify your new PIN. Re-enter your PIN and click OK. After clicking OK, you will be able to access your apps and desktops.

Support for Next Token Mode

If you configure Citrix Gateway for RSA SecurID authentication, Citrix Workspace app for iOS supports Next Token Mode. With this feature enabled, if a user enters three (by default) incorrect passwords, the Citrix Gateway plug-in prompts the user to wait until the next token is active before logging on. The RSA server can be configured to disable a user’s account if a user logs on too many times with an incorrect password.

Save Passwords

Using the Citrix Web Interface Management console, you can configure the authentication method to allow users to save their passwords. When you configure the user account, the encrypted password is saved until the first time the user connects. Consider the following:

  • If you enable password saving, Citrix Workspace app for iOS stores the password on the device for future logons and does not prompt for passwords when users connect to applications.

Note:

The password is stored only if users enter a password when creating an account. If no password is entered for the account, no password is saved, regardless of the server setting.

  • If you disable password saving (default setting), Citrix Workspace app for iOS prompts users to enter passwords every time they connect.

Note:

For StoreFront direct connections, password saving is not available.

To override password saving

If you configure the server to save passwords, users who prefer to require passwords at logon can override password saving:

  • When creating the account, leave the password field blank.
  • When editing an account, delete the password and save the account.

Using the Save Password feature

Citrix Workspace app for iOS has a feature that streamlines the connection process by allowing you to save your password, which eliminates the extra step of having to authenticate a session everytime you open Citrix Workspace app for iOS.

Note:

The save password functionality currently works with the PNA protocol. It does not work with StoreFront native mode; however, this functionality works when StoreFront enables PNA legacy mode.

Configuring StoreFront PNA legacy mode

To configure StoreFront PNA legacy mode to enable the save password functionality:

  1. If you are configuring an existing Store, go to step 3.

  2. To configure a new StoreFront deployment, follow the best practices described in Install, setup, and uninstall Citrix StoreFront.

  3. Open the Citrix StoreFront management console. Ensure the base URL uses HTTPS and is the same as the common name specified when generating your SSL certificate.

  4. Select the Store you want to configure.

  5. Click Configure XenApp Service Support.

  6. Enable Legacy Support, and Click OK.

  7. Navigate to the template configuration file located at c:\\inetpub\wwwroot\Citrix\<store name>\Views\PnaConfig\.

  8. Make a backup of Config.aspx.

  9. Open the original Config.aspx file.

  10. Edit the line <EnableSavePassword>false</EnableSavePassword> to change the false value to true.

  11. Save the edited Config.aspx file.

  12. On the StoreFront server, run PowerShell with administrative rights.

  13. In the PowerShell console:

    a. cd “c:\\Program Files\Citrix\Workspace StoreFront\Scripts”

    b. Type “Set-ExecutionPolicy RemoteSigned”

    c. Type “.\\ImportModules.ps1”

    d. Type “Set-DSDerviceMonitorFeature –ServiceUrl https://localhost:443/StorefrontMonitor

  14. If you have a StoreFront group, run the same commands on all the members in the group.

Configuring Citrix Gateway to save passwords

Note:

This configuration uses Citrix Gateway load balance servers.

To configure Citrix Gateway to support the save password functionality:

  1. Log in to the Citrix Gateway management console.

  2. Follow the Citrix best practices to create a certificate for your load balance virtual server(s).

  3. On the configuration tab, navigate to Traffic Management -> Load Balancing -> Servers and click Add.

  4. Enter the server name and IP address of the StoreFront server.

  5. Click Create. If you have a StoreFront group, repeat step 5 for all the servers in the group.

  6. On the configuration tab, navigate to Traffic Management -> Load Balancing -> Monitor and click Add.

  7. Enter a name for the monitor. Select STOREFRONT as the Type. At the bottom of the page, select Secure (this is required since the StoreFront server is using HTTPS).

  8. Click the Special Parameters Tab. Enter the StoreFront name configured earlier, and select the Check Backed Services and click Create.

  9. On the Configuration tab navigate to Traffic Management -> Load Balancing -> Service Groups and click Add.

  10. Enter a name for your Service Group and set the protocol to SSL. Click Ok.

  11. On the right-hand of the screen under Advanced Settings, select Settings.

  12. Enable Client IP and enter the following for the Header value: X-Forwarded-For and click OK.

  13. On the right-hand of the screen under Advanced Settings, select Monitors. Click the arrow to add new monitors.

  14. Click the Add button and then select the Select Monitor drop down; a list of monitors (those configured on Citrix Gateway) appears.

  15. Click the radio button beside the monitor(s) you created earlier and click Select, then click Bind.

  16. On the right-hand of the screen (under Advanced Settings), select Members. Click the arrow to add new service group members.

  17. Click the Add button and then select the Select Member drop down.

  18. Select the Server Based radio button; a list of server members (those configured on Citrix Gateway) appears. Click the radio button beside the StoreFront server(s) you created earlier.

  19. Enter 443 for the port number and specify a unique number for the Hash ID, then click Create, then click Done. If everything has been configured properly, the Effective State should show a green light, indicating that monitoring is functioning properly.

  20. Navigate to Traffic Management -> Load Balancing -> Virtual Servers and click Add. Enter a name for the server and select SSL as the protocol.

  21. Enter the IP address for the StoreFront load-balanced server and click OK.

  22. Select the Load Balancing Virtual Server Service Group binding, click the arrow then add the Service Group created previously. Click OK twice.

  23. Assign the SSL certificate created for the Load Balance virtual server. Select No Server Certificate.

  24. Select the Load Balance server certificate from the list and click Bind.

  25. Add the domain certificate to the Load Balance Server. Click No CA certificate.

  26. Select the domain certificate and click Bind.

  27. On the right side of the screen, select Persistence.

  28. Change the Persistence to SOURCEIP and set the time out to 20. Click Save, then click Done.

  29. On your domain DNS server, add the load balance server (if not already created).

  30. Launch Citrix Workspace app for iOS on your iOS device and enter the full XenApp URL.