Citrix Workspace app for iOS

Prerequisites for installing

System requirements and compatibility

Device requirements

  • Citrix Workspace app version 21.9.1 or later for iOS supports iOS 15 and iPadOS 15.
  • Citrix Workspace app version 21.2.0 or later for iOS does not support iOS 10.x.
  • Citrix Workspace app version 20.9.0 or later for iOS supports iOS 14 and iPadOS 14.
  • Citrix Workspace app version 19.9.0 or later for iOS supports iOS 13 and iPadOS.
  • Citrix Workspace app version 18.8.0 or later for iOS supports iOS 12.
  • This software update has been validated on the following devices:
    • iPhone 7x models, iPhone 8x models, and only iPhone X model.
    • All iPad models (including iPad Pro) except for iPad 1 and iPad 2 aren’t supported.
  • External display support
    • iPhone - as supported by iOS.
    • iPad - as supported by iOS (does not use the whole screen).

Server requirements

Verify if you’ve installed all the latest hotfixes for your servers.

  • For connections to virtual desktops and apps, Citrix Workspace app supports Citrix StoreFront and Web Interface.

    StoreFront:

    • StoreFront 3.6 or later (recommended). Citrix Workspace app has been validated with the latest version of StoreFront; previous supported versions include StoreFront 2.6 or later.

      Provides direct access to StoreFront stores. Citrix Workspace app also supports prior versions of StoreFront.

      Note:

      With XenApp and XenDesktop 7.8, Citrix introduced support for the Framehawk virtual channel and 3D Pro. This functionality was extended to Citrix Workspace app.

    • StoreFront configured with a Workspace for website

      Provides access to StoreFront stores from a Safari web browser. Users must manually open the ICA file using the browser. For the limitations of this deployment, see the StoreFront documentation.

    Web Interface:

    • Web Interface 5.4 with Web Interface sites

    • Web Interface 5.4 with XenApp and XenDesktop Sites

    • Web Interface on Citrix Gateway (browser-based access only using Safari)

      Enable the rewrite policies provided by Citrix Gateway.

  • Citrix Virtual Apps and Desktops, XenApp, and XenDesktop (any of the following products):

    • Citrix Virtual Apps and Desktops 7 1808 or later
    • Citrix XenDesktop 7.x or later
    • Citrix XenApp 7.5 or later

Connections, certificates, and authentication

For connections to StoreFront, Citrix Workspace app supports the following authentication methods:

  Workspace for Web using browsers StoreFront Services site (native) StoreFront XenApp and XenDesktop Site (native) Citrix Gateway to Workspace for Web (browser) Citrix Gateway to StoreFront Services site (native)
Anonymous Yes Yes      
Domain Yes Yes Yes Yes* Yes*
Domain pass-through Yes Yes Yes    
Security token       Yes* Yes*
Two-factor authentication (domain with security token)       Yes* Yes*
SMS       Yes* No
Smart card   Yes   Yes* Yes*
User certificate       Yes (Citrix Gateway plug-in) Yes (Citrix Gateway plug-in)

*Available only for:

  • Workspace for websites
  • Deployments that include Citrix Gateway, with or without installing the associated plug-in on the device.

For connections to the Web Interface 5.4, Citrix Workspace app supports the following authentication methods:

Note:

Web Interface uses the term Explicit to represent domain and security token authentication.

  Web Interface (browsers) Web Interface XenApp and XenDesktop Site Citrix Gateway to Web Interface (browser) Citrix Gateway to Web Interface XenApp and XenDesktop Site
Anonymous Yes      
Domain Yes Yes Yes*  
Domain pass-through Yes      
Security token     Yes*  
Two-factor authentication (domain with security token)     Yes*  
SMS     Yes*  
Smart card        
User certificate     Yes (Require Citrix Gateway plug-in)  

Certificates

Private (self-signed) certificates

You can successfully access Citrix resources using Citrix Workspace app:

  • when a private certificate is installed on the remote gateway.
  • when the root certificate for the organization’s certificate authority is installed on the device.

Note:

When the remote gateway’s certificate cannot be verified upon connection (because the root certificate isn’t included in the local keystore), an untrusted certificate warning appears. If a user chooses to continue through the warning, a list of applications is displayed; however, applications fail to start.

Manually installed certificate

In iOS 10.3 and later, a certificate included in a profile that you install manually isn’t automatically trusted for SSL. To trust manually installed certificate profiles in iOS:

  1. Make sure you’ve installed the certificate profile on the device.
  2. Go to Settings > General > About > Certificate Trust Settings.

    Each root that has been installed through a profile appears under Enable Full Trust For Root Certificates.

  3. You can toggle trust on or off for each root.

Import root certificates on iPad and iPhone devices

Obtain the root certificate of the certificate issuer and email it to an email account configured on your device. When clicking the attachment, you’re asked to import the root certificate.

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app supports wildcard certificates.

Intermediate certificates and Citrix Gateway

When your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway (or Access Gateway) server certificate. Also, for Access Gateway installations, see Install, link, and update certificates that matches your requirement in Citrix ADC documentation.

RSA SecurID authentication is supported for Secure Gateway configurations (through the Web Interface only) and all supported Access Gateway configurations.

Citrix Workspace app supports all authentication methods supported by Access Gateway.

Joint Server Certificate Validation Policy

Releases of Citrix Workspace app have a stricter validation policy for server certificates.

Important

Before installing Citrix Workspace app, confirm that the certificates at the server or gateway are correctly configured as described here. Connections might fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Workspace app now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous releases, Citrix Workspace app then also checks that the certificates are trusted. If the certificates aren’t not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app connections to fail.

Suppose that a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Workspace app:

  • Example Server Certificate
  • Example Intermediate Certificate
  • Example Root Certificate

Then, Citrix Workspace app checks if all these certificates are valid. Citrix Workspace app also validates if Example Root Certificate certificate is already trusted.

Notes:

  • If Citrix Workspace app does not trust Example Root Certificate, the connection fails.
  • Some certificate authorities have more than one root certificate. If you require a stricter validation, make sure that your configuration uses the appropriate root certificate.

For example, there’re currently two certificates:

  • DigiCert or GTE CyberTrust Global Root

  • DigiCert Baltimore Root or Baltimore CyberTrust Root

These certificates can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (DigiCert Baltimore Root or Baltimore CyberTrust Root).

If you configure GTE CyberTrust Global Root at the gateway, Citrix Workspace app connections on those user devices fails. Consult the certificate authority’s documentation to determine which root certificate has to be used. Also note that root certificates eventually expire, as do all certificates.

Then, Citrix Workspace app uses these two certificates. The app searches for a root certificate on the user device. If the app finds one that validates correctly, and is also trusted (such as Example Root Certificate), the connection succeeds. Otherwise, the connection fails.

This configuration supplies the intermediate certificate that Citrix Workspace app needs, but also allows Citrix Workspace app to choose any valid, trusted, root certificate.

Now suppose that a gateway is configured with these certificates:

  • Example Server Certificate
  • Example Intermediate Certificate
  • Wrong Root Certificate

A web browser might ignore the wrong root certificate. However, Citrix Workspace app doesn’t ignore the wrong root certificate, and the connection fails.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

  • Example Server Certificate
  • Example Intermediate Certificate 1
  • Example Intermediate Certificate 2

Important

Some certificate authorities use a cross-signed intermediate certificate. Such certificates are intended for situations where there’re more than one root certificate, and an earlier root certificate is still in use at the same time as a later root certificate. In such cases, at least two intermediate certificates exist.

For example, the earlier root certificate Class 3 Public Primary Certification Authority has the corresponding cross-signed intermediate certificate Verisign Class 3 Public Primary Certification Authority - G5. However, a corresponding later root certificate Verisign Class 3 Public Primary Certification Authority - G5 is also available, which replaces Class 3 Public Primary Certification Authority. The later root certificate does not use a cross-signed intermediate certificate.

Note

The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To), but the cross-signed intermediate certificate has a different Issuer name (Issued By). The Issuer name distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such Example Intermediate Certificate 2).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

  • Example Server Certificate
  • Example Intermediate Certificate

Avoid configuring the gateway to use the cross-signed intermediate certificate, as Citrix Workspace app selects the earlier root certificate:

  • Example Server Certificate
  • Example Intermediate Certificate
  • Example Cross-signed Intermediate Certificate [not recommended]

It isn’t recommended to configure the gateway with only the server certificate:

  • Example Server Certificate

In such cases, if Citrix Workspace app can’t locate all the intermediate certificates, the connection fails.

Prerequisites for installing