When using Citrix Workspace app for Linux, the following configuration steps allow users to access their hosted applications and desktops.


Configuration files

To change advanced or less common settings, you can modify Citrix Workspace app’s configuration files. These configuration files are read each time wfica starts. You can update various files depending on the effect you want the changes to have.

If session sharing is enabled, an existing session might be used instead of a newly reconfigured one. This setting might cause the session to ignore changes you made in a configuration file.

Default settings

If you want to change the default for all Citrix Workspace app users, modify the module.ini configuration file in the $ICAROOT/config directory.


If an entry in All\_Regions.ini is set to a specific value, the value for that entry in module.ini is not used. The values in All\_Regions.ini take precedence over the value in module.ini.

Template file

If the $HOME/.ICAClient/wfclient.ini file does not exist, wfica creates it by copying $ICAROOT/config/wfclient.template. When you change this template file, the changes are applied to all the Citrix Workspace app users.

User settings

To apply configuration changes for a user, modify the wfclient.ini file in the user’s $HOME/.ICAClient directory. The settings in this file apply to future connections for that user.

Validate configuration file entries

To limit the values for entries in wfclient.ini, specify the allowed options or ranges of options in All\_Regions.ini.

If you specify only one value, that value is used. $HOME/.ICAClient/All\_Regsions.ini can match or reduce the possible values set by $ICAROOT/config/All\_Regions.ini, it cannot take away restrictions.


The value set in wfclient.ini takes precedence over the value in module.ini.


The parameters listed in each file are grouped into sections. Each section begins with a name in brackets that indicates parameters that belong together; for example, \[ClientDrive\] for parameters related to client drive mapping (CDM).

Defaults are automatically supplied for any missing parameters except where indicated. If a parameter is present but is not assigned a value, the default is automatically applied. For example, if InitialProgram is followed by an equal sign (=) but no value, the default (not to run a program after logging in) is applied.


All\_Regions.ini specifies parameters that can be set by other files. It can restrict the values of parameters or set them exactly.

For any given connection, the files are checked in the following order:

  1. All\_Regions.ini - Values in this file override those in:
    • The connections .ICA file
    • wfclient.ini
  2. module.ini - Values in this file are used if they have not been set in All\_Regions.ini, the connections .ICA file, or wfclient.ini but they are not restricted by entries in All\_Regions.ini.

If no value is found in any of these files, the default in the Citrix Workspace app code is used.


There are exceptions to this order of precedence. For example, the code reads some values specifically from wfclient.ini for security reasons.

Creating custom user-agent strings in network request

With this release, Citrix Workspace app introduces an option to append the User-Agent strings in the network request and identify the source of a network request. Based on this User-Agent strings request, you can decide how to manage your network request. This feature allows you to accept network requests only from trusted devices.


  • This feature is supported on cloud deployments of Citrix Workspace app. Also, x86, x64, and armhf are the supported packages.

To customize the User-Agent strings, do the followings:

  1. Locate the $ICAROOT/config/AuthManConfig.xml configuration file.
  2. Add a value to the following entry:

<UserAgentSuffix> </UserAgentSuffix>

Example that includes App and Version in the customized text:

<UserAgentSuffix>App/AppVersion </UserAgentSuffix>

If you are adding App and AppVersion, separate them by a forward slash (“/”).

  • If the network request is from the UI-based Citrix Workspace App, the following User-Agent appears in the network requests:

    CWAWEBVIEW/CWAVersion App/AppVersion

  • If the network request is not from the UI-based Citrix Workspace App, the following User-Agent appears in the network requests:

    CWA/CWAVersion App/AppVersion


  • If you are not adding AppVersion at the end of the UserAgentSuffix string, the Citrix Workspace app version is appended in the network requests.
  • Restart AuthManagerDaemon and ServiceRecord for the changes to take effect.

Feature flag management

If an issue occurs with Citrix Workspace app in production, we can disable an affected feature dynamically in Citrix Workspace app even after the feature ships. To do so, we use feature flags and a third-party service called LaunchDarkly. You do not need to make any configurations to enable traffic to LaunchDarkly, unless you have a firewall or proxy blocking outbound traffic. In that case, you enable traffic to LaunchDarkly via specific URLs or IP addresses, depending on your policy requirements. You can enable traffic and communication to LaunchDarkly in the following ways:

Enable traffic to the following URLs


List IP addresses in an allow list

If you must list IP addresses in an allow list, for a list of all current IP address ranges, see the LaunchDarkly public IP list. You can use this list to ensure that your firewall configurations are updated automatically in keeping with the infrastructure updates. For details about the status of the infrastructure changes, see the LaunchDarkly Statuspage page.

LaunchDarkly system requirements

Ensure that published apps can communicate with the following services if you have split tunneling on Citrix ADC set to OFF for the following services:

  • LaunchDarkly service
  • APNs listener service

Service continuity


This feature is generally available for Citrix Workspace app.

Service continuity removes or minimizes the dependency on the availability of components that are involved in the connection process. Users can launch their virtual apps and desktops regardless of the health status of the cloud services.

For information on requirements that support service continuity on Citrix Workspace app, see System Requirements.

For information on installing service continuity with Citrix Workspace app, see Installing Service Continuity.

For more information, see the Service continuity section in the Citrix Workspace documentation.

Pinning multi-monitor screen layout

Starting with Version 2103, you can save the selection for multi-monitor screen layout. The layout is how a desktop session is displayed. Pinning helps to relaunch a session with the selected layout, resulting in an optimized user experience.

As a prerequisite, you must enable this feature in the AuthManConfig.xml file. Navigate to $ICAROOT/config/AuthManConfig.xml and add the following entries:

     <value> true </value>

Only after adding the key above, you will be able to see the Screen Layout option in the App indicator icon. For more information about app indicator icon, see App indicator icon.

To select the screen layout, click the app indicator icon in the taskbar, and select Screen Layout. The Screen Layout dialog appears.

Alternately, you can launch the Screen Layout dialog by pressing Ctrl+m keys when on the self-service window.

Screen layout

Select a virtual desktop from the drop-down menu. The layout selection is applied only to the desktop you select.

Select one or more tiles to form a rectangular selection for the layout. The session then appears as per the layout selection.


  • Enabling screen pinning disables the save layout feature in a session.
  • This feature is applicable only on desktops that are marked as favorite.

App protection


App protection policies work by filtering access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). This means that app protection policies can provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

App protection is an add-on feature that provides enhanced security when you use Citrix Virtual Apps and Desktops. The feature restricts the ability of clients to be compromised by keylogging and screen capturing malware. App protection prevents exfiltration of confidential information such as user credentials and sensitive information displayed on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information.


  • This feature is supported when Citrix Workspace app is installed by using the tarball, Debian, and Red Hat Package Manager (RPM) packages. Also, x64 and armhf are the only supported architectures.
  • This feature is supported in on-premises deployments of Citrix Virtual Apps and Desktops and in deployments using the Citrix Virtual Apps and Desktops Service with StoreFront.

App protection requires that you install an add-on license on your License Server. A Citrix Virtual Desktops license must also be present. For information on Licensing, see the Configure section in the Citrix Virtual Apps and Desktops.

Starting with Version 2108, app protection feature is now fully functional. The app protection feature supports apps and desktop sessions and is enabled by default. However, you must configure the app protection feature in the AuthManConfig.xml file to enable it for authentication manager and Self-Service plug-in interfaces.

Starting with this release, you can launch protected resources from Citrix Workspace app while Mozilla Firefox is running.


App protection works best with the following Operating Systems along with Gnome Display Manager:

  • 64-bit Ubuntu 18.04+
  • 64-bit Debian 9+
  • 64-bit CentOS7.5+
  • 64-bit RHEL7.5+
  • ARMHF 32-bit Raspbian 10 (Buster)+

Installing the app protection component:

When you install the Citrix Workspace app using the tarball package, the following message appears.

“Do you want to install the app protection component? Warning: You cannot disable this feature. To disable it, you must uninstall Citrix Workspace app. For more information, contact your system administrator. [default $INSTALLER_N]:”

Enter Y to install the app protection component.

By default, the app protection component is not installed.

Restart your machine for the changes to take effect. App protection might not work as expected unless you restart your machine.

Installing the app protection component on RPM packages:

Starting with Version 2104, app protection is supported on the RPM version of Citrix Workspace app.

To install app protection, do the following:

  1. Install Citrix Workspace app.
  2. Install the app protection ctxappprotection<version>.rpm package from the Citrix Workspace app installer.
  3. Restart the system for the changes to take effect.

Installing the app protection component on Debian packages:

Starting with Version 2101, app protection is supported on the Debian version of Citrix Workspace app.

For silent installation of the app protection component, run the following command from the terminal before installing Citrix Workspace app:

export DEBIAN_FRONTEND="noninteractive"
sudo debconf-set-selections <<< "icaclient app_protection/install_app_protection select no"

sudo debconf-show icaclient
* app_protection/install_app_protection: no

sudo apt install -f ./icaclient_<version>._amd64.deb

Starting with Version 2106, Citrix Workspace app introduces an option to let you configure the anti-keylogging and anti-screen-capturing functionalities separately for both the authentication manager and Self-Service plug-in interfaces.

Configuring app protection for authentication manager:

Navigate to $ICAROOT/config/AuthManConfig.xml and edit the file as follows:

/opt/Citrix/ICAClient/config$ cat AuthManConfig.xml | grep -i authmananti -A 1
    <value>true </value>


Configuring app protection for the Self-Service plug-in interface:

Navigate to $ICAROOT/config/AuthManConfig.xml and edit the file as follows:

/opt/Citrix/ICAClient/config$ cat AuthManConfig.xml | grep -i protection -A 4
<!-- Selfservice app protection configuration -->


Known issues:

  • When you minimize a protected screen, app protection continues to run in the background.


  • Sometimes, you cannot launch protected resources when an application that is installed from the Snap Store is running. As a workaround, identify the application that causes the issue from the Citrix Workspace app log file and close the application.
  • When you are trying to take a screenshot of a protected window, the entire screen, including the non-protected apps in the background, are grayed out.

Battery status indicator

The battery status of the device now appears in the notification area of a Citrix Desktop session.


The battery status indicator does not appear for server VDAs.

The battery status indicator is enabled by default.

To disable the battery status indicator:

  1. Navigate to the <ICAROOT>/config/module.ini folder.
  2. Go to the ICA 3.0 section.
  3. Set the MobileReceiver= Off.

Customer Experience Improvement Program (CEIP)

Data collected Description What we use it for
Configuration and usage data The Citrix Customer Experience Improvement Program (CEIP) gathers configuration and usage data from Citrix Workspace app for Linux and automatically sends the data to Google Analytics. This data helps Citrix improve the quality, reliability, and performance of Citrix Workspace app.

Additional information

Citrix will handle your data in accordance with the terms of your contract with Citrix, and protect it as specified in the Citrix Services Security Exhibit available on the Citrix Trust Center.

Citrix also uses Google Analytics to collect certain data from Citrix Workspace app as part of CEIP. You may review how Google handles data collected for Google Analytics.

You can turn off sending CEIP data to Citrix and Google Analytics (except for the two data elements collected for Google Analytics indicated by an * in the second table below) by:

  1. Navigate to the \<ICAROOT\>/config/module.ini folder and go to the CEIP section.
  2. Select the entry EnableCeip and set it to Disable.


Once you set the EnableCeip key to Disable, if you would like to disable sending the final two CEIP data elements collected by Google Analytics (that is, Operating System version & Workspace app version) navigate to the following section and set the value as suggested:

Location: <ICAROOT>/config/module.ini

Section: GoogleAnalytics

Entry: DisableHeartBeat

Value: True

The specific CEIP data elements collected by Google Analytics are:

Operating system version* Workspace app version* App name Client ID
Session launch method Compiler version Hardware platform  

App indicator icon

The app indicator starts when you launch Citrix Workspace app. It is an icon that is present in the notification area. With the introduction of the app indicator, the Citrix Workspace app for Linux logon performance is improved.

You can observe performance improvement when you:

  • First launch of Citrix Workspace app
  • Close and relaunch the app
  • Quit and relaunch the app


The libappindicator package is required for the app indicator to appear. Install the libappindicator package suitable for your Linux distribution from the web.

ICA-to-X proxy

You can use a workstation running Citrix Workspace app as a server and redirect the output to another X11-capable device. You might want to do this to deliver Microsoft Windows applications to X terminals or to UNIX workstations for which Citrix Workspace app is not available.


Citrix Workspace app software is available for many X devices, and installing the software on these devices is the preferred solution in these cases. Running Citrix Workspace app in this way, as an ICA-to-X proxy, is also referred to as server-side ICA.

When you run Citrix Workspace app, you can think of it as an ICA-to-X11 converter that directs the X11 output to your local Linux desktop. However, you can redirect the output to another X11 display. You can run multiple copies of Citrix Workspace app simultaneously on one system with each sending its output to a different device.

This graphic shows a system with Citrix Workspace app for Linux set up as an ICA-to-X proxy:

ICA-to-X proxy

To set up this type of system, you need a Linux server to act as the ICA-to-X11 proxy:

  • If you have X terminals already, you can run Citrix Workspace app on the Linux server that usually supplies the X applications to the X terminals.
  • If you want to deploy UNIX workstations for which Citrix Workspace app is not available, you need an extra server to act as the proxy. This can be a PC running Linux.

Applications are supplied to the final device using X11, using the capabilities of the ICA protocol. By default, you can use drive mapping only to access the drives on the proxy. This is not a problem if you are using X terminals (which usually do not have local drives). If you are delivering applications to other UNIX workstations, you can either:

  • NFS mounts the local UNIX workstation on the workstation acting as the proxy, then point a client drive map at the NFS mount point on the proxy.
  • Use an NFS-to-SMB proxy such as SAMBA, or an NFS client on the server such as Microsoft Services for UNIX.

Some features are not passed to the final device:

  • USB redirection
  • Smart card redirection
  • COM port redirection
  • Audio is not delivered to the X11 device, even if the server acting as a proxy supports audio.
  • Client printers are not passed through to the X11 device. You access the UNIX printer from the server manually using LPD printing, or use a network printer.
  • Redirection of multimedia input is not expected to work because it requires a webcam on the machine running Citrix Workspace app, which is the server acting as a proxy. However, redirection of multimedia output works with GStreamer installed on the server acting as a proxy (untested).

To start Citrix Workspace app with server-side ICA from an X terminal or a UNIX workstation:

  1. Use ssh or telnet to connect to the device acting as the proxy.

  2. In a shell on the proxy device, set the DISPLAY environment variable to the local device. For example, in a C shell, type:

    setenv DISPLAY <local:0>


    If you use the command ssh -X to connect to the device acting as the proxy, you do not need to set the DISPLAY environment variable.

  3. At a command prompt on the local device, type xhost <proxy server name>

  4. If Citrix Workspace app is not installed in the default installation directory, ensure that the environment variable ICAROOT is set to point to the actual installation directory.

  5. Locate the directory where Citrix Workspace app is installed. At a command prompt, type selfservice &.

Server-client content redirection

Server-client content redirection enables administrators to specify that URLs in a published application are opened using a local application. For example, opening a link to a webpage while using Microsoft Outlook in a session opens the required file using the browser on the user device. Server-client content redirection enables administrators to allocate Citrix resources more efficiently, thereby providing users with better performance.

The following types of URL can be redirected:

  • HTTP
  • RTSP (Real Player)
  • RTSPU (Real Player)
  • PNM (Older Real Players)

If Citrix Workspace app for Linux does not have an appropriate application or cannot directly access the content, the URL is opened using the server application.

Server-client content redirection is configured on the server and enabled by default in Citrix Workspace app if the path includes RealPlayer and at least one of Firefox, Mozilla, or Netscape.

To enable server-client content redirection if RealPlayer and a browser are not in the path

  1. Open the configuration file wfclient.ini.

  2. In the [Browser] section, modify the following settings:



    where path is the directory where the browser executable is located and command is the name of the executable used to handle redirected browser URLs, appended with the URL sent by the server. For example:

$ICAROOT/nslaunch Netscape, firefox, mozilla

This setting specifies the following:

-  The `nslaunch` utility is run to push the URL into an existing browser window
-  Each browser in the list is tried in turn until content can be displayed successfully
  1. In the [Player] section, modify the following settings:



    where path is the directory where the RealPlayer executable is located and command is the name of the executable used to handle the redirected multimedia URLs, appended with the URL sent by the server.

  2. Save and close the file.


For both Path settings, you need only specify the directory where the browser and RealPlayer executables reside. You do not need to specify the full path to the executables. For example, in the [Browser] section, Path might be set to /usr/X11R6/bin rather than /usr/X11R6/bin/netscape. In addition, you can specify multiple directory names as a colon-separated list. If these settings are not specified, the user’s current $PATH is used.

To turn off server-client content redirection from Citrix Workspace:

  1. Open the configuration file module.ini.
  2. Change the CREnabled setting to Off.
  3. Save and close the file.


Configure connections

On devices with limited processing power or where limited bandwidth is available, there is a trade-off between performance and functionality. Users and administrators can choose an acceptable mixture of rich functionality and interactive performance. Making one or more of these changes, often on the server not the user device, can reduce the bandwidth that a connection requires and can improve performance:

  • Enable SpeedScreen Latency Reduction - SpeedScreen Latency Reduction improves performance over high latency connections by providing instant feedback to the user in response to typed data or mouse clicks. Use SpeedScreen Latency Reduction Manager to enable this feature on the server. By default, in Citrix Workspace app, this is disabled for keyboard and only enabled for the mouse on high latency connections. See the Citrix Workspace app for Linux OEM’s Reference Guide.
  • Enable data compression - Data compression reduces the amount of data transferred across the connection. This requires more processor resources to compress and decompress the data, but it can increase performance over low-bandwidth connections. Use the Citrix Audio Quality and Image Compression policy settings to enable this feature.
  • Reduce the window size - Change the window size to the minimum that is comfortable. On the farm set the Session Options.
  • Reduce the number of colors - Reduce the number of colors to 256. On the Citrix Virtual Apps and Desktops Site, set the Session Options.
  • Reduce sound quality - If audio mapping is enabled, reduce the sound quality to the minimum setting using the Citrix Audio quality policy setting.


ClearType font smoothing

ClearType font smoothing (also known as subpixel font rendering) improves the quality of displayed fonts beyond that available through traditional font smoothing or anti-aliasing. You can turn this feature on or off. Or you specify the type of smoothing by editing the following setting in [WFClient] section of the appropriate configuration file:

FontSmoothingType = number

Where number can take one of the following values:

Value Behavior
0 The local preference on the device is used. This value is defined by the FontSmoothingTypePref setting.
1 No smoothing
2 Standard smoothing
3 ClearType (horizontal subpixel) smoothing

Both standard smoothing and ClearType smoothing can increase Citrix Workspace app’s bandwidth requirements.


The server can configure FontSmoothingType through the ICA file. This takes precedence over the value set in [WFClient].

If the server sets the value to 0, the local preference is determined by another setting in the [WFClient]: FontSmoothingTypePref = number

Where a number can take one of the following values:

Value Behavior
0 No smoothing
1 No smoothing
2 Standard smoothing
3 ClearType (horizontal subpixel) smoothing (default)


Configure special folder redirection

In this context, there are only two special folders for each user:

  • The user’s Desktop folder
  • The user’s Documents folder (My Documents on Windows XP)

Special folder redirection enables you to specify the locations of a user’s special folders so that these remain fixed across different server types and server farm configurations. It is important if, for example, a mobile user logs on to servers in different server farms. For static, desk-based workstations, where the user can log on to servers that reside in a single-server farm, special folder redirection is rarely necessary.

To configure special folder redirection:

A two-part procedure is as follows. First, you enable special folder redirection by making an entry in module.ini; then you specify the folder locations in the [WFClient] section, as described here:

  1. Add the following text to module.ini (for example, $ICAROOT/config/module.ini):


    SFRAllowed = True

  2. Add the following text to the [WFClient] section (for example, $HOME/.ICAClient/wfclient.ini):

    DocumentsFolder = documents

    DesktopFolder = desktop

    where documents and desktop are the UNIX file names, including the full path, of the directories to use as the users Documents and Desktop folders respectively. For example:

    DesktopFolder = $HOME/.ICAClient/desktop

    • You can specify any component in the path as an environment variable, for example, $HOME.
    • Specify values for both parameters.
    • The directories you specify must be available through client device mapping. That is, the directory must be in the subtree of a mapped client device.
    • Use the drive letters C or higher.

Client-drive mapping

Client drive mapping allows drive letters on the Citrix Virtual Apps or Citrix Virtual Desktops server to be redirected to directories that exist on the local user device. For example, drive H in a Citrix user session can be mapped to a directory on the local user device running the Workspace app.

Client drive mapping can make any directory mounted on the local user device, including a CD-ROM, DVD, or a USB memory stick, available to the user during a session, provided the local user has permission to access it. When a server is configured to allow client drive mapping, users can access their locally stored files, work with them during their session, and then save them again either on a local drive or on a drive on the server.

Citrix Workspace app supports client device mapping for connections to Citrix Virtual Apps and Desktops servers. Client device mapping enables a remote application running on the server to access devices attached to the local user device. The applications and system resources appear to the user at the user device as if they are running locally. Ensure that client device mapping is supported on the server before using these features.


The Security-Enhanced Linux (SELinux) security model can affect the operation of the Client Drive Mapping and USB Redirection features (on both Citrix Virtual Apps and Desktops). If you require either or both of these features, disable SELinux before configuring them on the server.

Two types of drive mapping are available:

  • Static client drive mapping enables administrators to map any part of a user device’s file system to a specified drive letter on the server at logon. For example, it can be used to map all or part of a user’s home directory or /tmp, and the mount points of hardware devices such as CD-ROMs, DVDs, or USB memory sticks.
  • Dynamic client drive mapping monitors the directories in which hardware devices such as CD-ROMs, DVDs, and USB memory sticks are typically mounted on the user device. And any new ones that appear during a session are automatically mapped to the next available drive letter on the server.

When Citrix Workspace app connects to Citrix Virtual Apps or Citrix Virtual Desktops, client drive mappings are reestablished unless client device mapping is disabled. You can use policies to give you more control over how client device mapping is applied. For more information, see the Citrix Virtual Apps and Desktops documentation.

Users can map drives using the Preferences dialog box.


By default, enabling static client drive mapping also enables dynamic client drive mapping. To disable the latter but enable the former, set DynamicCDM to False in wfclient.ini.

Previously, your setting for file access through CDM was applied on all configured stores.

Starting with Version 2012, Citrix Workspace app allows you to configure per-store CDM file access.


The file access setting is not persistent across sessions when using workspace for web. It defaults to the Ask me each time option.

File access

You can use the wfclient.ini file to configure the mapped path and file name attributes. Use the GUI to set a file access level as shown in the preceding screen capture.

In a desktop session, you can set a file access level by navigating to Preferences > File access dialog from the Desktop Viewer.

File access from Desktop Viewer

In an app session, you can set a file access level by launching the File access dialog from Citrix Connection Center.

File access from Desktop Viewer

The File access dialog includes the mapped folder name and its path.

File access from Desktop Viewer

The access level flag is not supported in the wfclient.ini file anymore.

Map client-printers

Citrix Workspace app supports printing to network printers and printers that are attached locally to user devices. By default, unless you create policies to change it, Citrix Virtual Apps lets users:

  • Print to all printing devices accessible from the user device
  • Add printers

These settings, however, might not be the optimum in all environments. For example, the default setting that allows users to print to all printers accessible from the user device is the easiest to administer initially. But the default setting might create slower logon times in some environments. In this situation, you might want to limit the list of printers configured on the user device.

Likewise, your organization’s security policies might require that you prevent users from mapping local printing ports. To do so, on the server configure the ICA policy Auto connect client COM ports setting to Disabled.

To limit the list of printers configured on the user device:

  1. Open the configuration file, wfclient.ini, in one of the following:

    • $HOME/.ICAClient directory to limit the printers for a single user
    • $ICAROOT/config directory to limit the printers for all Workspace app users. All users in this case are those users who first use the self-service program after the change.
  2. In the [WFClient] section of the file type:


    Where printer1, printer2, and so on, are the names of the chosen printers. Separate printer name entries by a colon (:).

  3. Save and close the file.

Map client printers on UNIX

In a UNIX environment, printer drivers defined by Citrix Workspace app are ignored. The printing system on the user device must be able to handle the print format generated by the application.

Before users can print to a client printer from Citrix Virtual Apps for UNIX, printing must be enabled by the administrator. For more information, see the Citrix Virtual Apps for UNIX section in the Citrix Virtual Apps and Desktops documentation.

Map a local printer

The Citrix Workspace app for Linux supports the Citrix PS Universal Printer Driver. So, usually no local configuration is required for users to print to network printers or printers that are attached locally to user devices. You might, however, manually map client printers on Citrix Virtual Apps for Windows if, for example, the user device’s printing software does not support the universal printer driver.

To map a local printer on a server:

  1. From Citrix Workspace app, start a server connection and log on to a computer running Citrix Virtual Apps.

  2. On the Start menu, choose Settings > Printers.

  3. On the File menu, choose Add Printer.

    The Add Printer wizard appears.

  4. Use the wizard to add a network printer from the Client Network, Client domain. Usually this is a standard printer name, similar to those created by native Remote Desktop Services, such as “HP LaserJet 4 from client name in session 3.”

    For more information about adding printers, see your Windows operating system documentation.


Previously, the default value of the VdcamVersion4Support attribute in the module.ini file was set to True. With this release, the default is set to False. As a result, only the default audio device with the name Citrix HDX Audio appears in the session. This enhancement aims to minimize the audio issues that occur when the attribute is set to True.

Starting with Version 2108, the enhanced audio redirection feature is disabled by default.

To enable this feature, do the following:

  1. Navigate to the \<ICAROOT\>/config/ folder and open the module.ini file.
  2. Go to the clientaudio section and add the following entry:


  3. Restart the session for the changes to take effect.


  • When the enhanced audio redirection feature is enabled, Citrix Workspace app for Linux displays all local audio devices that are available in a session. You can switch to any of the available devices dynamically in a session.
  • The Mic and Webcam option in the Preferences dialog remains disabled by default. For information on how to enable mic and webcam, see Preferences.

Known limitations:

  • On a VDA running on Windows Server 2016, you can’t change the audio device selection in a session. The selection is set to the default audio input and output only.
  • Audio device redirection is not supported with HDMI and Bluetooth audio devices. This limitation is not related to the value set for VdcamVersion4Support.
  • You can change the default audio device only on Windows 10 , Windows 7 and Windows 8 operating system. On Windows server operating systems, such as Windows Server 2012, 2016, 2019, you cannot change the default audio device due to a limitation in Microsoft Remote Desktops Session.
  • The Citrix Workspace app might display audio devices that are not available in the session (for example, HDMI audio devices). The issue is caused by a third-party limitation.

The default audio device is typically the default ALSA device configured for your system. Use the following procedure to specify a different device:

  1. Choose and open a configuration file according to which users you want your changes to affect. See default settings for information about how updates to particular configuration files affect different users.
  2. Add the following option, creating the section if necessary:

    AudioDevice = \<device\>

Where device information is located in the ALSA configuration file on your operating system.


The location of this information is not standard across all Linux operating systems. Citrix recommends consulting your operating system documentation for more details about locating this information.

Map client audio

Client audio mapping enables applications running on the Citrix Virtual Apps server or Citrix Virtual Desktops to play sounds through a sound device installed on the user device. You can set audio quality on a per-connection basis on the server and users can set it on the user device. If the user device and server audio quality settings are different, the lower setting is used.

Client audio mapping can cause excessive load on servers and the network. The higher the audio quality, the more bandwidth is required to transfer the audio data. Higher-quality audio also uses more server CPU to process.

You configure client audio mapping using policies. For more information, see the Citrix Virtual Apps and Desktops documentation.


Client audio mapping isn’t supported when connecting to Citrix Virtual Apps for UNIX.

Enabling UDP audio

UDP audio can improve the quality of phone calls made over the Internet. It uses User Datagram Protocol (UDP) instead of Transmission Control Protocol (TCP).


  • UDP audio is not available in encrypted sessions (that is, those using TLS or ICA Encryption). In such sessions, audio transmission uses TCP.
  • The ICA channel priority can affect UDP audio.
  1. Set the following options in the ClientAudio section of module.ini:
    • Set EnableUDPAudio to True. By default, this is set to False, which disables UDP audio.
    • Specify the minimum and maximum port numbers for UDP audio traffic using UDPAudioPortLow and UDPAudioPortHigh respectively. By default, ports 16500 - 16509 are used.
  2. Set client and server audio settings as follows so that the resultant audio is of a medium quality (that is, not high or low).
    Audio quality on client Audio quality on client Audio quality on client
    High Medium Low
Audio quality on server High High Medium Low
Audio quality on server Medium Medium Medium Low
Audio quality on server Low Low Low Low

UDP on the client

In $ICAROOT/config/module.ini file, add the following:

Under the [ClientAudio] section:

EnableUDPAudio=True UDPAudioPortLow=int UDPAudioPortHigh=int

In $HOME/.ICAClient/wfclient.ini file, add the following:

Under the [WFClient] section:

AllowAudioInput=True EnableAudioInput=true AudioBandWidthLimit=1


  • If the .ICAClient folder is not found (occurs only in case of first-time installation and launching) launch the Citrix Workspace app and close. This action creates the .ICAClient folder.
  • When the AudioBandWidthLimit is set to 1, the audio quality on the client is medium.

Add the following under wfclient.ini.* Set policy on DDC:

Set “Windows Media redirection” to “Prohibited” Set “Audio over UDP” to “Allowed” Set “Audio over UDP real-time transport” to “enabled Set “Audio quality” to “Medium”

Changing how Citrix Workspace app is used

ICA technology is highly optimized and typically does not have high CPU and bandwidth requirements. However, if you are using a very low-bandwidth connection, consider the following to preserve performance:

  • Avoid accessing large files using client drive mapping. When you access a large file with client drive mapping, the file is transferred over the server connection. On slow connections, this might take a long time.
  • Avoid printing large documents on local printers. When you print a document on a local printer, the print file is transferred over the server connection. On slow connections, this might take a long time.
  • Avoid playing multimedia content. Playing multimedia content uses many bandwidths and can cause reduced performance.


USB support enables users to interact with a wide range of USB devices when connected to a virtual desktop. Users can plug USB devices into their computers and the devices are redirected to their virtual desktop. USB devices available for remoting include flash drives, smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets.

USB redirection requires either Citrix Virtual Apps 7.6 (or later) or Citrix Virtual Desktops. Citrix Virtual Apps does not support USB redirection of mass storage devices and requires special configuration to support audio devices. See Citrix Virtual Apps 7.6 documentation for details.

Isochronous features in USB devices such as webcams, microphones, speakers, and headsets are supported in typical low latency/high speed LAN environments. But usually the standard audio or webcam redirection are more suitable.

The following types of device are supported directly in a Citrix Virtual Apps and Desktops session, and so do not use USB support:

  • Keyboards
  • Mice
  • Smart cards
  • Headsets
  • Webcams


Specialist USB devices (for example, Bloomberg keyboards and 3D mice) can be configured to use USB support. For information on configuring policy rules for other specialist USB devices, see CTX119722.

By default, certain types of USB devices are not supported for remoting through Citrix Virtual Apps and Desktops. For example, a user might have a NIC attached to the system board by internal USB. Remoting this would not be appropriate. The following types of USB device are not supported by default for use in a Citrix Virtual Apps and Desktops session:

  • Bluetooth dongles
  • Integrated NICs
  • USB hubs

To update the default list of USB devices available for remoting, edit the usb.conf file, located in $ICAROOT/. For more information, see the Update the list of USB devices available for remoting section.

To allow the remoting of USB devices to virtual desktops, enable the USB policy rule. For more information, see the Citrix Virtual Apps and Desktops documentation.

How USB support works

When a user plugs in a USB device, it is checked against the USB policy, and, if allowed, redirected to the virtual desktop. If the device is denied by the default policy, it is available only to the local desktop.

For desktops accessed through desktop appliance mode, when a user plugs in a USB device, that device is automatically redirected to the virtual desktop. The virtual desktop is responsible for controlling the USB device and displaying it in the user interface.

The session window must have focus when the user plugs in the USB device for redirection to occur, unless desktop appliance mode is in use.

Mass storage devices

If a user disconnects from a virtual desktop when a USB mass storage device is still plugged in to the local desktop, that device is not redirected to the virtual desktop when the user reconnects. To ensure that the mass storage device is redirected to the virtual desktop, the user must remove and reinsert the device after reconnecting.


If you insert a mass storage device into a Linux workstation that has been configured to deny remote support for USB mass storage devices, the device will not be accepted by the Workspace app software. And a separate Linux file browser might open. Therefore, Citrix recommends that you pre-configure user devices with the Browse removable media when inserted setting cleared by default. On Debian-based devices, do this using the Debian menu bar by selecting Desktop > Preferences > Removable Drives and Media. And on the Storage tab, under Removable Storage, clear the Browse removable media when inserted check box.

For the Client USB device redirection, note the following point.


  • If the Client USB device redirection server policy is turned on, mass storage devices are always directed as USB devices even if client drive mapping is turned on.

  • The app does not support composite device redirection for USB devices.

USB classes

The following classes of USB device are allowed by the default USB policy rules:

  • Audio (Class 01)

    Includes microphones, speakers, headsets, and MIDI controllers.

  • Physical Interface (Class 05)

    These devices are similar to HIDs, but generally provide real-time input or feedback and include force feedback joysticks, motion platforms, and force feedback exoskeletons.

  • Still Imaging (Class 06)

    Includes digital cameras and scanners. Digital cameras often support the still imaging class which uses the Picture Transfer Protocol (PTP) or Media Transfer Protocol (MTP) to transfer images to a computer or other peripheral. Cameras might also appear as mass storage devices. And it might be possible to configure a camera to use either class, through setup menus provided by the camera itself.

    If a camera appears as a mass storage device, client drive mapping is used, and USB support is not required.

  • Printers (Class 07)

    In general most printers are included in this class, although some use vendor-specific protocols (class ff). Multi-function printers might have an internal hub or be composite devices. In both cases, the printing element generally uses the Printers class and the scanning or fax element uses another class; for example, Still Imaging.

    Printers normally work appropriately without USB support.

  • Mass Storage (Class 08)

    The most common mass storage devices are USB flash drives; others include USB-attached hard drives, CD/DVD drives, and SD/MMC card readers. There is a wide variety of devices having internal storage which also presents a mass storage interface; these include media players, digital cameras, and mobile phones. Known subclasses include:

  • 01 Limited flash devices
  • 02 Typically CD/DVD devices (ATAPI/MMC-2)
  • 03 Typically tape devices (QIC-157)
  • 04 Typically floppy disk drives (UFI)
  • 05 Typically floppy disk drives (SFF-8070i)
  • 06 Most mass storage devices use this variant of SCSI

    Mass storage devices can often be accessed through client drive mapping, and so USB support is not required.

    Important: Some viruses are known to propagate actively using all types of mass storage. Consider carefully whether there is a business need to permit the use of mass storage devices, either through client drive mapping, or USB support. To reduce this risk, the server might be configured to prevent files being executed through client drive mapping.

  • Content Security (Class 0d)

    Content security devices enforce content protection, typically for licensing or digital rights management. This class includes dongles.

  • Personal Healthcare (Class 0f)

    These devices include personal healthcare devices such as blood pressure sensors, heart rate monitors, pedometers, pill monitors, and spirometers.

  • Application and Vendor Specific (Classes fe and ff)

    Many devices use vendor-specific protocols or protocols not standardized by the USB consortium, and these usually appear as vendor-specific (class ff).

USB device classes

The following classes of USB device are denied by the default USB policy rules:

  • Communications and CDC Control (Classes 02 and 0a)

    Includes modems, ISDN adapters, network adapters, and some telephones and fax machines.

    The default USB policy does not allow these devices, because one of them might be providing the connection to the virtual desktop itself.

  • Human Interface Devices (Class 03)

    Includes a wide variety of both input and output devices. Typical Human Interface Devices (HIDs) are keyboards, mice, pointing devices, graphic tablets, sensors, game controllers, buttons, and control functions.

    Subclass 01 is known as the boot interface class and is used for keyboards and mice.

    The default USB policy does not allow USB keyboards (class 03, subclass 01, protocol 1), or USB mice (class 03, subclass 01, protocol 2). This is because most keyboards and mice are handled appropriately without USB support. And it is normally necessary to use these devices locally as well remotely when connecting to a virtual desktop.

  • USB Hubs (Class 09)

    USB Hubs allow extra devices to be connected to the local computer. It is not necessary to access these devices remotely.

  • Smart card (Class 0b)

    Smart card readers include contactless and contact smart card readers, and also USB tokens with an embedded smart card equivalent chip.

    Smart card readers are accessed using smart card remoting and do not require USB support.

  • Video (Class 0e)

    The video class covers devices that are used to manipulate video or video-related material, such as webcams, digital camcorders, analog video converters, some television tuners, and some digital cameras that support video streaming.

    By default, optimum webcam performance is provided by HDX RealTime Webcam Video Compression.

  • Wireless Controllers (Class e0)

    Includes a wide variety of wireless controllers, such as ultra wide band controllers and Bluetooth.

    Some of these devices might be providing critical network access, or connecting critical peripherals such as Bluetooth keyboards or mice.

    The default USB policy does not allow these devices. However, there might be particular devices it is appropriate to provide access to using USB support.

List of USB devices

You can update the range of USB devices available for remoting to desktops by editing the list of default rules contained in the usb.conf file on the user device in $ICAROOT/.

You update the list by adding new policy rules to allow or deny USB devices not included in the default range. Rules created by an administrator in this way control which devices are offered to the server. The rules on the server control which of these to be accepted.

The default policy configuration for disallowed devices is:

DENY: class=09 # Hub devices

DENY: class=03 subclass=01 # HID Boot device (keyboards and mice)

DENY: class=0b # Smartcard

DENY: class=e0 # Wireless Controllers

DENY: class=02 # Communications and CDC Control

DENY: class=03 # UVC (webcam)

DENY: class=0a # CDC Data

ALLOW: # Ultimate fallback: allow everything else

USB policy rules

Tip: When creating policy rules, see the USB Class Codes, available from the USB website at Policy rules in usb.conf on the user device take the format {ALLOW:|DENY:} followed by a set of expressions based on values for the following tags:

Tag Description
VID Vendor ID from the device descriptor
REL Release ID from the device descriptor
PID Product ID from the device descriptor
Class Class from either the device descriptor or an interface descriptor
SubClass SubClass from either the device descriptor or an interface descriptor
Prot Protocol from either the device descriptor or an interface descriptor

When creating policy rules, be aware of the following:

  • Rules are case-insensitive.
  • Rules might have an optional comment at the end, introduced by “#.” A delimiter is not required and the comment is ignored for matching purposes.
  • Blank and pure comment lines are ignored.
  • Whitespace used as a separator is ignored, but cannot appear in the middle of a number or identifier. For example, Deny: Class=08 SubClass=05 is a valid rule; Deny: Class=0 8 Sub Class=05 is not.
  • Tags must use the matching operator “=.” For example, VID=1230.


The following example shows a section of the usb.conf file on the user device. For these rules to be implemented, the same set of rules must exist on the server.

ALLOW: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive

DENY: Class=08 SubClass=05 # Mass Storage Devices

DENY: Class=0D # All Security Devices

Start-up modes

Using desktop appliance mode, you can change how a virtual desktop handles previously attached USB devices. In the WfClient section in the file $ICAROOT/config/module.ini on each user device, set DesktopApplianceMode = Boolean as follows.

TRUE Any USB devices that are already plugged in start-up provided the device is not disallowed with a Deny rule in the USB policies on either the server (registry entry) or the user device (policy rules configuration file).
FALSE No USB devices start up.


By default, optimum webcam performance is provided by HDX RealTime Webcam Video Compression. In some circumstances, however, you may require users to connect webcams using USB support. To do this, you must disable HDX RealTime Webcam Video Compression.

Webcam redirection

Following are a few points on webcam redirection:

  • Webcam redirection works with and without RTME.

  • Webcam redirection works for 32-bit applications. For example, Skype, GoToMeeting. Use a 32-bit browser to verify webcam redirection online. For example,

  • Webcam usage is exclusive to applications. For example, when Skype is running with a webcam and you launch GoToMeeting, exit Skype to use the webcam with GoToMeeting.


The Citrix Workspace app package includes a helper application, xcapture, to assist with the exchange of graphical data between the server clipboard and non-ICCCM-compliant X Windows applications on the X desktop. Users can use xcapture to:

  • Capture dialog boxes or screen areas and copy them between the user device desktop (including non-ICCCM-compliant applications) and an application running in a connection window
  • Copy graphics between a connection window and X graphics manipulation utilities xmag or xv

To start xcapture from the command line:

At the command prompt, type /opt/Citrix/ICAClient/util/xcapture and press ENTER (where /opt/Citrix/ICAClient is the directory in which you installed Citrix Workspace app).

To copy from the user device desktop:

  1. From the xcapture dialog box, click From Screen. The cursor changes to a crosshair.
  2. Choose from the following tasks:
    • Select a window. Move the cursor over the window you want to copy and click the middle mouse button.
    • Select a region. Hold down the left mouse button and drag the cursor to select the area you want to copy.
    • Cancel the selection. Click the right mouse button. While dragging, you can cancel the selection by clicking the right button before releasing the middle or left mouse button.
  3. From the xcapture dialog box, click To ICA. The xcapture button changes color to show that it is processing the information.
  4. When the transfer is complete, use the appropriate paste command in an application launched from the connection window.

To copy from xv to an application in a connection window:

  1. From xv, copy the information.
  2. From the xcapture dialog box, click From XV and then click To ICA. The xcapture button changes color to show that it is processing the information.
  3. When the transfer is complete, use the appropriate paste command in an application launched from the connection window.

To copy from an application in the connection window to xv:

  1. From the application in a connection window, copy the information.
  2. From the xcapture dialog box, click From ICA and then click To XV. The xcapture button changes color to show that it is processing the information.
  3. When the transfer is complete, paste the information into xv.


Relative Mouse

Relative Mouse support provides an option to interpret the mouse position in a relative rather than absolute manner. This capability is required for applications that demand relative mouse input rather than absolute.


This feature is available only in sessions running on Citrix Virtual Apps or Citrix Virtual Desktops 7.8 (or later). It is disabled by default.

To enable the feature:

In the file $HOME/.ICAClient/wfclient.ini, in the section [WFClient], add the entry RelativeMouse=1.

This step enables the feature but keeps it inactive until you activate it.


Refer to the section Alternative Relative Mouse values for additional information about enabling relative mouse features.

To activate the feature:

Type Ctrl/F12.

After the feature is enabled, type Ctrl/F12 again to synchronize the server pointer position with the client. The server and client pointer positions are not synchronized when using Relative Mouse.

To deactivate the feature:

Type Ctrl-Shift/F12.

The feature is also switched off when a session window loses focus.

Alternative Relative Mouse values

Alternatively, consider using the following values for RelativeMouse:

  • RelativeMouse=2 Enables the feature and activates it whenever a session window gains focus.
  • RelativeMouse=3 Enables, activates, and keeps the feature activated always.
  • RelativeMouse=4 Enables or disables the feature when the client-side mouse pointer is hidden or shown. This mode is suitable for automatically enabling or disabling relative mouse for first-person gaming-style application interfaces.

To change the keyboard commands, add settings like:

  • RelativemouseOnChar=F11
  • RelativeMouseOnShift=Shift
  • RelativemouseOffChar=F11
  • RelativeMouseOffShift=Shift

The supported values for RelativemouseOnChar and RelativemouseOffChar are listed under [Hotkey Keys] in the config/module.ini file in the Citrix Workspace app installation tree. The values for RelativeMouseOnShift and RelativeMouseOffShift set the modifier keys to be used and are listed under the [Hotkey Shift States] heading.


Keyboard behavior

To generate a remote Ctrl+Alt+Delete key combination:

  1. Decide which key combination creates the Ctrl+Alt+Delete combination on the remote virtual desktop.
  2. In the WFClient section of the appropriate configuration file, configure UseCtrlAltEnd accordingly:
    • True means that Ctrl+Alt+End passes the Ctrl+Alt+Delete combination to the remote desktop.
    • False (default) means that Ctrl+Alt+Enter passes the Ctrl+Alt+Delete combination to the remote desktop.

Generic redirection

Configuring the Bloomberg v4 keyboard through Generic USB Redirection on the client side:

As a prerequisite, the policy should be enabled in Domain Delivery Controller (DDC).

  1. Find the vid and pid of the Bloomberg keyboard. For example, in Debian and Ubuntu run the following command:


  2. Go to $ICAROOT and edit the usb.conf file.

  3. Add the following entry in the usb.conf file to allow the Bloomberg keyboard for USB redirection, and then save the file.

    ALLOW: vid=1188 pid=9545

  4. Restart the ctxusbd daemon on the client. For example, in Debian and Ubuntu run the following command:

    systemctl restart ctxusbd

  5. Launch a client session. Make sure that the session has focus while plugging in the Bloomberg v4 keyboard for redirection.

Selective redirection

This feature allows the use of the Bloomberg v4 keyboard interface across multiple sessions. This functionality provides flexibility to use the keyboard in all remote sessions except the fingerprint and audio interfaces. The fingerprint and audio interfaces are redirected to single sessions as before.

You can achieve Bloomberg keyboard redirection as follows:

  • through generic USB redirection

  • through generic USB redirection and with selective redirection support


By default, this feature is enabled for x86 and x64 platforms and is disabled for ARMHF platforms.

To enable the feature:

  1. Edit the BloombergRedirection section as follows in the config/All_Regions.ini file.


  2. Perform all the steps mentioned in Generic redirection.

To disable the feature:

  1. Edit the BloombergRedirection section in the config/All_Regions.ini file.

  2. Set the BloombergRedirection value to false.


  3. Perform all the steps mentioned in Generic redirection.


Setting the value to false reverts the functionality to the behavior present in earlier versions of the client, where all the interfaces are redirected to a single session.

Browser content redirection

Chromium Embedded Framework (CEF) for Browser Content Redirection

In releases earlier to Version 1912, BCR used a WebkitGTK+ based overlay to render the content. However, on thin clients, there were performance issues. Starting with Version 1912, BCR uses a CEF-based overlay. This functionality enriches the user experience for BCR. It helps offload network usage, page processing, and graphics rendering to the endpoint.

Starting with Version 2106, CEF-based browser content redirection is fully functional. The feature is enabled by default.

If needed, you can replace the file provided in the Workspace app package with a suitable file that has the required codecs, in the $ICAROOT/cef/ path.


This feature is not supported on armhf platform.

Enabling CEF-based BCR

To enable CEF-based BCR:

  1. Edit the file located at: $ICAROOT/config/All_Regions.ini where, $ICAROOT is the default installation directory of Citrix Workspace app.
  2. Add the following entry in the [Client Engine\WebPageRedirection]section and set it to one of the following values:
    • True- Indicates that CEF-based BCR is enabled.
    • False- Indicates that CEF-based BCR is disabled.

Known issue:

  • When you set the UseCefBrowser option to true in the ~/.ICAClient/All_Regions.ini, the Japanese, Chinese and Korean IME might not work in input fields. Citrix Workspace app for Linux does not support the Japanese, Chinese and Korean IME when using Secure SaaS with Citrix Embedded Browser.

For information about BCR, see Browser content redirection in the Citrix Virtual Apps and Desktops documentation.

Automatic reconnection

This topic describes the HDX Broadcast auto-client reconnection feature. Citrix recommends that you use this feature with the HDX Broadcast session reliability feature.

Users can be disconnected from their sessions because of unreliable networks, highly variable network latency, or range limitations of wireless devices. With the HDX Broadcast auto-client reconnection feature, Citrix Workspace app for Linux can detect unintended disconnections of sessions and reconnect users to the affected sessions automatically.

When this feature is enabled on the server, users do not have to reconnect manually to continue working. Citrix Workspace attempts to reconnect to the session a set number of times until there is a successful reconnection or the user cancels the reconnection attempts. If user authentication is required, a dialog box requesting credentials appears to a user during automatic reconnection. Automatic reconnection does not occur if users exit applications without logging off. Users can reconnect only to disconnected sessions.

By default, Citrix Workspace app for Linux waits 30 seconds before attempting to reconnect to a disconnected session and attempts to reconnect to that session three times.

When connecting through an AccessGateway, ACR is not available. To protect against network dropouts, ensure that Session Reliability is enabled both on the Server and Client, as well as configured on the AccessGateway.

For instructions on configuring HDX Broadcast auto-client reconnection, see your Citrix Virtual Apps and Desktops documentation.

Session reliability

This topic describes the HDX Broadcast session reliability feature, which is enabled by default.

With HDX Broadcast session reliability, users continue to see a published application’s window if the connection to the application experiences an interruption. For example, wireless users entering a tunnel may lose their connection when they enter the tunnel and regain it when they emerge on the other side. During the downtime, all of the user’s data, key presses, and other interactions are stored, and the application appears frozen. When the connection is re-established, these interactions are replayed into the application.

You can now see screen changes when the session reliability begins. With this enhancement, the session window is grayed out and a countdown timer shows the time until the next reconnection attempt occurs. Session reliability


You can alter the grayscale brightness used for an inactive session using Reconnection UI transparency level policy. By default, this value is set to 80. The maximum value cannot exceed 100 (indicates a transparent window) and the minimum value can be set to 0 (a fully blacked out screen).

When a session successfully reconnects, the countdown notification message disappears. You can interact with the desktop as usual.

Starting with the 2109 release, the session reliability notification is enabled by default.

To disable this enhancement:

  1. Navigate to the /opt/Citrix/ICAClient/config/module.ini configuration file.
  2. In the [WFClient] section, modify the following setting:



This feature is supported only for Citrix Virtual Desktops.

When auto-client reconnection and session reliability are configured, session reliability takes precedence if there is a connection problem. Session reliability attempts to re-establish a connection to the existing session. It might take up to 25 seconds to detect a connection problem. And then takes a configurable period (the default is 180 seconds) to attempt the reconnection. If session reliability fails to reconnect, then auto-client reconnect attempts to reconnect.

If HDX Broadcast session reliability is enabled, the default port used for session communication switches from 1494 to 2598.

Citrix Workspace users cannot override the server settings.


HDX Broadcast session reliability requires that another feature, Common Gateway Protocol, is enabled (using policy settings) on the server. Disabling Common Gateway Protocol also disables HDX Broadcast session reliability.

Using session reliability policies

The session reliability connections policy setting enables session reliability.

The session reliability timeout policy setting has a default of 180 seconds, or three minutes. If needed, you can extend the time session reliability keeps a session open. It does not prompt you for reauthentication.


As you extend the amount of time a session is kept open, you might get distracted and walk away from your device. This potentially leaves the session accessible to unauthorized users.

Incoming session reliability connections use port 2598, unless you change the port number defined in the session reliability port number policy setting.

For information on configuring session reliability policies, see Session reliability policy settings.


Session reliability is enabled by default at the server. To disable this feature, configure the policy managed by the server.

Multimedia performance

The Citrix Workspace app includes a broad set of technologies that provide a high-definition user experience for today’s media-rich user environments. These improve the user experience when connecting to hosted applications and desktops, as follows:


Citrix supports RTOP coexistence with Citrix Workspace app for Linux Version 1901 and later with GStreamer 0.1.

HDX MediaStream Windows Media Redirection

HDX Mediastream Windows Media Redirection overcomes the need for the high bandwidths required to provide multimedia capture and playback on virtual Windows desktops accessed from Linux user devices. Windows Media Redirection provides a mechanism for playing the media run-time files on the user device rather than on the server, thereby reducing the bandwidth requirements for playing multimedia files.

Windows Media Redirection improves the performance of Windows Media Player and compatible players running on virtual Windows desktops. A wide range of file formats are supported, including:

  • Advanced Systems Format (ASF)
  • Motion Picture Experts Group (MPEG)
  • Audio-Video Interleaved (AVI)
  • MPEG Audio Layer-3 (MP3)
  • WAV sound files

Citrix Workspace app includes a text-based translation table, MediaStreamingConfig.tbl, for translating Windows-specific media format GUIDs into MIME types GStreamer can use. You can update the translation table to do the following:

  • Add previously unknown or unsupported media filters/file formats to the translation table
  • Block problematic GUIDs to force fall-back to server-side rendering.
  • Add more parameters to existing MIME strings to allow for troubleshooting of problematic formats by changing a stream’s GStreamer parameters
  • Manage and deploy custom configurations depending on the media file types supported by GStreamer on a user device.

With client-side fetching, you can also allow the user device to stream media directly from URLs of the form http://, <mms://>, or <rtsp://> rather than streaming the media through a Citrix server. The server is responsible for directing the user device to the media, and for sending control commands (including Play, Pause, Stop, Volume, Seek). But the server does not handle any media data. This feature requires advanced multimedia GStreamer libraries on the device.

To implement HDX MediaStream Windows Media Redirection:

  1. Install GStreamer 0.10, an open-source multimedia framework, on each user device that requires it. Typically, you install GStreamer before you install Citrix Workspace app to allow the installation process to configure Citrix Workspace app to use it.

    Most Linux distributions include GStreamer. Alternatively, you can download GStreamer from

  2. To enable client-side fetching, install the required GStreamer protocol source plugins for the file types that users play on the device. You can verify that a plug-in is installed and operational using the gst-launch utility. If gst-launch can play the URL, the required plug-in is operational. For example, run gst-launch-0.10 playbin2 uri=<http://example-source/file.wmv> and check that the video plays correctly.

  3. When installing Citrix Workspace app on the device, select the GStreamer option if you are using the tarball script (this is done automatically for the .deb and .rpm packages).

Note about the client-side fetching feature:

  • By default, this feature is enabled. You can disable it using the SpeedScreenMMACSFEnabled option in the Multimedia section of All-Regions.ini. With this option set to False, Windows Media Redirection is used for media processing.
  • By default, all MediaStream features use the GStreamer playbin2 protocol. You can revert to the earlier playbin protocol for all MediaStream features except Client-Side Fetching, which continues to use playbin2, using the SpeedScreenMMAEnablePlaybin2 option in the Multimedia section of All-Regions.ini.
  • Citrix Workspace app does not recognize playlist files or stream configuration information files such as .asx or .nsc files. If possible, users must specify a standard URL that does not reference these file types. Use gst-launch to verify that a given URL is valid.

Note about GStreamer 1.0:

  • By default, GStreamer 0.10 is used for HDX MediaStream Windows Media redirection. GStreamer 1.0 is used only when GStreamer 0.10 is not available.
  • If you want to use GStreamer 1.0, follow the instructions below:
  1. Find the install directory of the GStreamer plug-ins. Depending on your distribution, the OS architecture, and the way you install GStreamer, the installation location of the plug-ins varies. The typical installation path is /usr/lib/x86_64-linux-gnu/gstreamer-1.0 or $HOME/ .local/share/gstreamer-1.0.
  2. Find the install directory of Citrix Workspace app for Linux. The default directory for privileged (root) user installations is /opt/Citrix/ICAClient. The default directory for non-privileged user installations is $HOME/ICAClient/platform (where platform can be linuxx64, for example). For more information, see Install and set up.
  3. Install by making a symbolic link in the GStreamer plug-ins directory: ln -sf $ICACLIENT_DIR/util/ $GST_PLUGINS_PATH/ This step might require elevated permissions, with sudo, for example.
  4. Use gst_play1.0 as the player: ln -sf $ICACLIENT_DIR/util/gst_play1.0 $ICACLIENT_DIR/util/gst_play. This step might require elevated permissions, with sudo, for example.
  • If you want to use GStreamer 1.0 in HDX RealTime Webcam Video Compression, use gst_read1.0 as the reader: ln -sf $ICACLIENT_DIR/util/gst_read1.0 $ICACLIENT_DIR/util/gst_read.

Enabling GStreamer 1.x

In releases earlier to 1912, GStreamer 0.10 was the default version supported for multimedia redirection. Starting with 1912 release, you can configure GStreamer 1.x as the default version.


  • When you play a video, forward and backward seek might not work as expected.
  • When you launch the Citrix Workspace app on ARMHF devices, GStreamer 1.x might not work as expected.
To install GStreamer 1.x

Install the GStreamer 1.x framework and the following plug-ins from

  • Gstreamer-plugins-base
  • Gstreamer-plugins-bad
  • Gstreamer-plugins-good
  • Gstreamer-plugins-ugly
  • Gstreamer-libav
To build binaries locally

On some Linux OS distributions, for example, SUSE and openSUSE, the system might not find the GStreamer packages in the default source list. In this case, download the source code and build all binaries locally:

  1. Download the source code from
  2. Extract the contents.
  3. Navigate to the directory where the unzipped package is available.
  4. Run the following commands:

    $sudo ./configure
    $sudo make
    $sudo make install

By default, the generated binaries are available at /usr/local/lib/gstreamer-1.0/.

For information about troubleshooting, see Knowledge Center article CTX224988.

To configure GStreamer 1.x

To configure GStreamer 1.x for use with Citrix Workspace app, apply the following configuration using the shell prompt:

  • $ln -sf $ICACLIENT_DIR/util/gst_play1.0 $ICACLIENT_DIR/util/gst_play


  • ICACLIENT_DIR - is the installation path of Citrix Workspace app for Linux.
  • GST_PLUGINS_PATH - is GStreamer’s plug-in path. For example, on a 64-bit debian machine it is /usr/lib/x86_64-linux-gnu/gstreamer-1.0/.


  • In releases earlier to Version 2106, the webcam redirection might fail and the session might get disconnected when using GStreamer version 1.15.1 or later.

HDX MediaStream Flash Redirection

HDX MediaStream Flash Redirection enables Adobe Flash content to play locally on user devices, providing users with high definition audio and video playback, without increasing bandwidth requirements.

  1. Ensure that your user device meets the feature requirements. For more information, see System requirements.

  2. Add the following parameters to the [WFClient] section of wfclient.ini (for all connections made by a specific user) or the [Client Engine\Application Launching] section of All_Regions.ini (for all users of your environment):

    • HDXFlashUseFlashRemoting=Ask: Never; Always

      Enables HDX MediaStream for Flash on the user device. By default, this is set to Never and users are presented with a dialog box asking them if they want to optimize Flash content when connecting to webpages containing that content.

    • HDXFlashEnableServerSideContentFetching=Disabled; Enabled

      Enables or disables server-side content fetching for Citrix Workspace app. By default this is set to Disabled.

    • HDXFlashUseServerHttpCookie=Disabled; Enabled

      Enables or disables HTTP cookie redirection. By default, this is set to Disabled.

    • HDXFlashEnableClientSideCaching=Disabled; Enabled

      Enables or disables client-side caching for web content fetched by Citrix Workspace app. By default, this is set to Enabled.

    • HDXFlashClientCacheSize= [25-250]

      Defines the size of the client-side cache, in MB. This can be any size between 25 MB and 250 MB. When the size limit is reached, existing content in the cache is deleted to allow storage of new content. By default, this is set to 100.

    • HDXFlashServerSideContentCacheType=Persistent: Temporary; NoCaching

      Defines the type of caching used by Citrix Workspace app for content fetched using server-side content fetching. By default, this is set to Persistent.

      Note: This parameter is required only if HDXFlashEnableServerSideContentFetching is set to Enabled.

  3. Flash redirection is disabled by default. In /config/module.ini change FlashV2=Off to FlashV2=On to enable the feature.

HDX RealTime webcam video compression

HDX RealTime provides a webcam video compression option to improve bandwidth efficiency during video conferencing, ensuring users experience optimal performance when using applications such as GoToMeeting with HD Faces, Skype for Business.

  1. Ensure that your user device meets the feature requirements.
  2. Ensure that the Multimedia virtual channel is enabled. To do this, open the module.ini configuration file, located in the $ICAROOT/config directory, and check that MultiMedia in the [ICA3.0] section is set to “On.”
  3. Enable audio input by clicking Use my microphone and webcam on the Mic & Webcam page of the Preferences dialog.

Disable HDX RealTime webcam video compression

By default, optimum webcam performance is provided by HDX RealTime Webcam Video Compression. In some circumstances, however, you might require users to connect webcams using USB support. To do this, you must do the following:

  • Disable HDX RealTime Webcam Video Compression
  • Enable USB support for webcams
  1. Add the following parameter to the [WFClient] section of the appropriate .ini file:


    For more information, see default settings.

  2. Open the usb.conf file, typically located at $ICAROOT/usb.conf.

  3. Remove or comment out the following line:

    DENY: class=0e # UVC (default via HDX RealTime Webcam Video Compression)

  4. Save and close the file.

Secure SaaS with Citrix Embedded Browser experimental feature

Secure access to SaaS applications provides a unified user experience that delivers published SaaS applications to the users. SaaS apps are available with single sign-on. Administrators can now protect the organization’s network and end-user devices from malware and data leaks by filtering access to specific websites and website categories.

Citrix Workspace app for Linux support the use of SaaS apps using the Access Control Service. The service enables administrators to provide a cohesive experience, integrating single sign-on, and content inspection.


Ensure that libgtkglext1 package is available.

Delivering SaaS apps from the cloud has the following benefits:

  • Simple configuration – Easy to operate, update, and consume.
  • Single sign-on – Hassle-free log on with single sign-on.
  • Standard template for different apps – Template-based configuration of popular apps.


SaaS with Citrix Browser Engine is supported only on x64 and x86 platforms and not on ArmHardFloatPort (armhf) hardware.

For information on how to configure SaaS apps using Access Control Services, see the Access Control documentation.

For more information about SaaS apps with Citrix Workspace app, see Workspace configuration in Citrix Workspace app for Windows documentation.


Citrix Workspace app supports the display of H.264 graphics, including HDX 3D Pro graphics, that are served by Citrix Virtual Apps and Desktops 7. This support uses the deep compression codec feature, which is enabled by default. The feature provides better performance of rich and professional graphics applications on WAN networks compared with the existing JPEG codec.

Follow the instructions in this topic to disable the feature (and process graphics using the JPEG codec instead). You can also disable text tracking while still enabling deep compression codec support. This helps to reduce CPU costs while processing graphics that include complex images but relatively small amounts of text or non-critical text.


To configure this feature, do not use any lossless setting in the Citrix Virtual Apps and Desktops Visual quality policy. If you do, H.264 encoding is disabled on the server and does not work in Citrix Workspace app.

To disable deep compression codec support:

In wfclient.ini, set H264Enabled to False. This also disables text tracking.

To disable text tracking only:

With deep compression codec support enabled, in wfclient.ini set TextTrackingEnabled to False.

Screen tiles

You can improve the way that JPEG-encoded screen tiles are processed using the direct-to-screen bitmap decoding, batch tile decoding, and deferred XSync features.

  1. Ensure that your JPEG library supports these features.

  2. In the Thinwire3.0 section of wfclient.ini, set DirectDecode and BatchDecode to True.

    Note: Enabling batch tile decoding also enables deferred XSync.


In earlier releases, the debug.ini and module.ini files were used to configure logging.

As of Version 2009, you can configure logging using one of the following methods:

  • Command-line interface
  • Graphical user interface (GUI)

Also as of Version 2009, the debug.ini configuration file is removed from the Citrix Workspace app installer package.

Logging captures the Citrix Workspace app deployment details, configuration changes, and administrative activities to a logging database. A third-party developer can leverage this logging mechanism by using the logging SDK, which is bundled as part of the Citrix Workspace app Platform Optimization SDK.

You can use the log information to:

  • Diagnose and troubleshoot issues that occur after any changes. The log provides a breadcrumb trail.
  • Assist change management and track configurations.
  • Report administration activities.

If Citrix Workspace app is installed with root user privileges, the logs are stored in the /var/log/citrix/ICAClient.log. Otherwise, the logs are stored in ${HOME}/.ICAClient/logs/ICAClient.log.

When Citrix Workspace app is installed, a user called citrixlog is created to handle the logging functionality.

Command-line interface

  1. At the command prompt, navigate to the /opt/Citrix/ICAClient/util path.
  2. Run the following command to set the log preferences.

    ./setlog help

All the available commands are displayed.

The following table lists various modules and their corresponding trace class values. Use the following table for a specific command-line log value set:

Module Log class
Assertions LOG_ASSERT
Audio Monitor TC_CM
Client Audio Mapping TC_CAM
Connection Center TC_CONNCENTER
Client Communication Port TC_CCM
Client Drive Mapping TC_CDM
Client Printer Mapping TC_CPM
Client Printer Mapping TC_CPM
Graphics Abstraction TC_GA
Input Method Editor TC_IME
Keyboard Mapping TC_KEY
Licensing Driver TC_VDLIC
Multimedia TC_MMVD`
Mouse Mapping TC_MOU
Other Libraries TC_LIB
Protocol Driver TC_PD
Standard Event Logs LOG_CLASS
Selfservice TC_SS
Selfservice Extension TC_SSEXT
StorefrontLib TC_STF
Transport Driver TC_TD
Thinwire TC_TW
Transparent Window Interface TC_TUI
Virtual Channel TC_VD
UIDialogLibWebKit3 TC_UIDW3
UIDialogLibWebKit3_ext TC_UIDW3E
Video Frame Driver TC_VFM
WinStation Driver TC_WD
Wfica Engine TC_WENG
Wfica Shell TC_WFSHELL
Web helper TC_WH
Zero Latency TC_ZLC


Go to Menu > Preferences. The Citrix Workspace-Preferences dialog appears. Preferences dialog

At increasing levels of tracing detail, the following values are available:

  • Disabled
  • Only errors
  • Normal
  • Verbose

By default, the Logging option is set to Normal.

Due to the large amount of data that can be generated, tracing might significantly impact the performance of Citrix Workspace app. The Verbose level is not recommended unless required for troubleshooting.

Click Save and Close after you select the desired logging level. The changes are applied in the session dynamically.

Click the settings icon next to the Logging option drop-down menu. The Citrix Log Preferences dialog appears. Log Preferences dialog


If you delete the ICAClient.log file, you must restart the logging service ctxlogd.

For example, if you are on a systemd-capable setup, run the following command:

systemctl restart ctxlogd.

Enabling logging on Version 2006 and earlier:

If you are on Version 2006 and earlier, enable the logging using the procedure below:

  1. Download and install Citrix Workspace app on your Linux machine.
  2. Set the ICAROOT environment variable to the installation location.

    For example, /opt/Citrix/ICAClient.

    By default, the TC_ALL trace class is enabled to provide all the traces.

  3. To collect logs for a particular module, open the debug.ini file at $ICAROOT and add the required trace parameters to the [wfica] section.

    Add the trace classes with a “+” symbol. For example, +TC_LIB.

    You can add multiple classes separated by the pipe symbol. For example, +TC_LIB|+TC_MMVD.

The following table lists wfica modules and their corresponding trace class values:

Module TraceClasses value
Graphics TC_TW
WFICA (Session Launch) TC_NCS
Printing TC_CPM
Connection Sequence - WD TC_WD
Connection Sequence - PD TC_PD
Connection Sequence - TD TC_TD
Proxy related files TC_PROXY
MultiMedia Virtual Driver / Webcam TC_MMVD
Virtual Drivers TC_VD
Client Drive Mapping TC_CDM
Audio TC_CAM
COM (Communication Port) TC_CCM
Seamless TC_TWI

The following table lists connection center module and their corresponding trace class value:

Module TraceClasses value
Connection center TC_CSM

The following table lists trace class value for setWebHelper:

TraceClasses value
Set logSwitch to 1 (to enable) or 0 (to disable)
Example: logSwitch = 1


If ctxlogd turns unresponsive, the logs are traced in syslog.

For information about getting new and refreshed logs in subsequent launches, see Syslog configuration.

Syslog configuration

By default, all syslog logs are saved at /var/log/syslog. You can configure the path and the name of the log file by editing the following line under the [RULES] section in the /etc/rsyslog.conf file. For example,

user.* -/var/log/logfile_name.log

Save your changes and then restart the syslog service using the command:

sudo service rsyslog restart

Points to remember:

  • To ensure that a new syslog is available, delete syslog and run the command: sudo service rsyslog restart.

  • To avoid duplicate messages, add $RepeatedMsgReduction on at the beginning of the rsyslog.conf file.

  • To receive logs, ensure that the $ModLoad line is uncommented at the beginning of the rsyslog.conf file.

Remote logging

To enable remote logging on:

  • Server-side configuration: uncomment the following lines in the rsyslog.conf file of the syslog server:

    $ModLoad imtcp

    $InputTCPServerRun 10514

  • Client-side configuration: add the following line in rsyslog.conf file by replacing localhost with the IP address of the remote server:

    *.* @@localhost:10514

Collecting log files

Previously, there was no tool available to collect log files in Citrix Workspace app. Log files were present in different folders. You had to manually collect log files from different folders.

Starting with this release, Citrix Workspace app introduces tool to collect log files from different folders. You can run the tool using command line. The log files are generated as a compressed log file. You can download it from the local server.


  • Python3
  • Requires additional space to save the logs

Starting with Version 2109, two new files are added to collect log files using the tool:

  • logcollector.ini file – Saves the name and path of the log file.
  • file – Collects the log files and saves them as cwalog_{timestamp}.tar.gz compressed file.

By default, the [hdxteams] component is added in the logcollector.ini file to collect log files for Microsoft Teams. However, you can add other components also in the logcollector.ini file using the following procedure:

  1. Navigate to the ${HOME}/.ICAClient/logs/ICAClient.log/logcollector.ini file.
  2. Add the component that you need to collect log files as per the following example:


log_name1 = “log_path1”

log_name2 = “log_path2”

If you are on Version 2109, collect log files using the following procedure:

  1. Download and install Citrix Workspace app on your Linux machine.
  2. At the command line, navigate to /opt/Citrix/ICAClient/util path.
  3. Run the following command: ./ -h

    The following command usage information appears:

    usage: collect_log [-h] [-c CONFIG] [-a ARCHIVE]optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG The logcollector.ini path & file -a ARCHIVE, --archive ARCHIVE The archive path & file

  4. Run the following commands as required:

    • ./ – Collects log files using the configuration file from the default path and saves them as a compressed log files at the default path.
    • ./ -c /user_specified_path/logcollector.ini – Collects log files using the configuration file from a user-specified path and saves them as a compressed log files at the default path.
    • ./ -c /user_specified_path/logcollector.ini -a/another_user_specified_path/ – Collects log files using the configuration file from a user-specified path and saves them as a compressed log files at the user defined path.


    The default path of the logcollector.ini configuration file is /opt/Citrix/ICAClient/config/logcollector.ini. The default path of compressed log file is /tmp.

  5. Navigate to the /tmp folder and collect the cwalog_{timestamp }.tar.gz compressed file.


The log files are saved in the /tmp folder with the file name cwalog_{timestamp}.tar.gz.

Optimization for Microsoft Teams

Optimization for desktop-based Microsoft Teams using Citrix Virtual Apps and Desktops and Citrix Workspace app. Optimization for Microsoft Teams is similar to HDX RealTime Optimization for Microsoft Skype for Business. The difference is that, we bundle all necessary components for Microsoft Teams optimization into the VDA and the Workspace app for Linux.

Citrix Workspace app for Linux supports audio, video, and screen sharing features with Microsoft Teams optimization.


  • Microsoft Teams optimization is supported only on x64 Linux distributions.

For information on how to enable logging, follow the steps mentioned under Logging for Microsoft Teams.

For information on system requirements, see Microsoft Teams Optimization.

For more information, see Optimization for Microsoft Teams and Microsoft Teams redirection.

Encoder performance estimator for Microsoft Teams

HdxRtcEngine is the WebRTC media engine embedded in Citrix Workspace app that handles Microsoft Teams redirection. HdxRtcEngine.exe can estimate the best encoding resolution that the endpoint’s CPU can sustain without overloading. Possible values are 240p, 360p, 720p, and 1080p.

The performance estimation process utilizes macroblock code to determine the best resolution that can be achieved with the particular endpoint. The Codec negotiation during a call setup includes the highest possible resolution. The Codec negotiation can be between the peers, or between the peer and the conference server.

The following table lists the four performance categories for endpoints that have its own maximum available resolution:

Endpoint performance Maximum resolution Registry key value
Fast 1080p 3
Medium 720p 2
Slow 360p 1
Very slow 240p 0

To set the encoding resolution value, for example to 360p, run the following command from the terminal:

mkdir -p ~/.config/citrix/hdx_rtc_engine/

vim ~/.config/citrix/hdx_rtc_engine/config.json




Logging for Microsoft Teams

To enable logging for Microsoft Teams:

  1. Navigate to the /opt/Citrix/ICAClient/debug.ini file.
  2. Modify the [HDXTeams] section as follows:

    ; Retail logging for HDXTeams 0/1 = disabled/enabled
    HDXTeamsLogSwitch = 1
    ; Debug logging; , It is in decreasing order
    ; LS_NONE = 4, LS_ERROR = 3, LS_WARNING = 2, LS_INFO = 1, LS_VERBOSE = 0
    WebrtcLogLevel = 0
    ; None = 5, Info = 4, Warning = 3, Error = 2, Debug = 1, Trace = 0
    WebrpcLogLevel = 0

Support for NetScaler App Experience (NSAP) virtual channel

Previously available as an experimental feature, the NetScaler App Experience (NSAP) virtual channel feature is now fully supported. All HDX Insight data is sourced from the NSAP virtual channel exclusively and sent uncompressed. This approach improves scalability and performance of sessions. The NSAP virtual channel is enabled by default. To disable it, toggle the VDNSAP flag VDNSAP=Off in the module.ini file.

For more information, see HDX Insight in the Linux Virtual Delivery Agent documentation, and HDX Insight in the Citrix Application Delivery Management service documentation.

Multi-monitor layout persistence

This feature retains the session monitor layout information across endpoints. The session appears at the same monitors as configured.


This feature requires the following:

  • StoreFront v3.15 or later.
  • If .ICAClient is already present in the home folder of the current user:

    Delete All_Regions.ini file


    To retain AllRegions.ini file, add the following lines at the end of the [Client Engine\Application Launching] section:






If the .ICAClient folder is not present, it indicates a fresh install of the Citrix Workspace app. In that case, the default setting for the feature is retained.

Use cases

  • Launch a session on any monitor in windowed mode and save the setting. When you relaunch the session, it appears in the same mode, on the same monitor, and in the same position.
  • Launch a session on any monitor in full-screen mode and save the setting. When you relaunch the session, it appears in full-screen mode on the same monitor.
  • Stretch and span a session in windowed mode across multiple monitors and then switch to full-screen mode. The session continues in full-screen across all monitors. When you relaunch the session, it appears in full-screen mode, spanning across all monitors.


The layout is overwritten with every save, and the layout is saved only on the active StoreFront.

If you launch multiple desktop sessions from the same StoreFront on different monitors, saving the layout in one session saves the layout information of all the sessions.

Save layout

To enable the save layout feature:

  1. Install the StoreFront 3.15 or later version (equal or greater than v3.15.0.12) on a compatible Delivery Controller (DDC).
  2. Download the build of Citrix Workspace app 1808 or later for Linux from the Downloads page and then install it on your Linux machine.
  3. Set the ICAROOT environment variable to the install location.
  4. Check whether the All_Regions.ini file is present in the .ICAClient folder. If so, delete it.
  5. In the $ICAROOT/config/All_Regions.ini file, look for the field – SaveMultiMonitorPref. By default, the value of this field is “true” (meaning this feature is turned on). To toggle off this feature, set this field to false. If you make any changes to the value of SaveMultiMonitorPref, you must delete the All_Regions.ini file present in the .ICAClient folder to prevent value mismatches and a possible profile lockdown. Set or unset the SaveMultiMonitorPref flag before launching sessions.
  6. Launch a new desktop session.
  7. Click Save Layout on the Desktop Viewer toolbar to save the current session layout. A notification appears at the bottom right of the screen, indicating success. When you click Save layout, the icon grays out. This indicates that saving is in progress. When the layout is saved the icon appears normal. However, if the icon is grayed out for a long time, see Knowledge Center article CTX235895 for troubleshooting information.
  8. Disconnect or log off from the session. Relaunch the session. The session appears in the same mode, on the same monitor, and in the same position.

Limitations and unsupported scenarios:

  • Saving a layout for windowed mode session spanning across multiple monitors is not supported due to limitations with the Linux Display manager.
  • Saving session information across monitors with varied resolution is not supported in this release and might result in unpredictable behavior.
  • Customers deployments with multiple StoreFront

Using Citrix Virtual Desktops on dual monitor

  1. Select the Desktop Viewer and click the down arrow.
  2. Select Window.
  3. Drag the Citrix Virtual Desktops screen between the two monitors. Ensure that about half the screen is present in each monitor.
  4. From the Citrix Virtual Desktop toolbar, select Full-screen.

    The screen extends to both the monitors.

Workspace launcher

Citrix introduces Workspace launcher (WebHelper) to launch published desktops and applications.

Previously, the browser plug-in provided along with Citrix Workspace app for Linux enabled users to launch published desktops and applications was based on the NPAPI.

As a solution, Citrix is introducing Workspace launcher (WebHelper). To enable this feature, configure StoreFront to send requests to Workspace launcher to detect the Citrix Workspace app installation.

Starting with Version 1901, Citrix Workspace launcher works with direct connections to StoreFront and Citrix Gateway. This feature helps to launch the ICA file automatically and to detect the Citrix Workspace app installation.

As a solution, Citrix is introducing Workspace launcher (WebHelper). To enable this feature, configure StoreFront to send requests to Workspace launcher to detect the Citrix Workspace app installation.

For information about configuring StoreFront, see Solution – 2 > a) Administrator configuration in Knowledge Center article CTX237727.


Citrix Workspace launcher currently works only with direct connections to StoreFront. It is not supported in other cases such as connections through Citrix Gateway.

Disabling new workspace web UI mode

When you launch the Citrix Workspace app for Linux using self-service executable file from third-party thin-client vendors, the application can become unresponsive due to 100% CPU utilization.

As a workaround, to switch back to the old UI mode:

  1. Remove cached files by using the command: rm -r ~/.ICAClient
  2. Go to $ICAROOT/config/AuthManconfig.xml file.
  3. Change CWACapableEnabled key value to false.
  4. Launch Citrix Workspace app for Linux. Observe that the self-service executable file loads the old UI.

Keyboard layout synchronization

Keyboard layout synchronization between client and VDA enables you to switch among preferred keyboard layouts on the client device when using a Windows or a Linux VDA. This feature is disabled by default.


  • Enable the Unicode Keyboard Layout Mapping feature on the Windows VDA. For more information, see Knowledge Center article CTX226335.

  • Enable the Dynamic Keyboard layout sync feature on the Linux VDA. For more information, see Dynamic keyboard layout synchronization
  • Keyboard layout synchronization is dependent on XKB lib, which allows automatic keyboard layout synchronization between the VDA and the client device.
  • When using a Windows Server 2016 or Windows Server 2019, navigate to HKEY_LOCAL_MACHINE\Software\Citrix\ICA\IcaIme registry path and add a new DWORD value with key name DisableKeyboardSync and set the value to 0.

To enable this feature, add the following lines to the module.ini file:

[ICA 3.0]



DriverName = VDIME.DLL

When you set KeyboardSync=On in the module.ini file and set KeyboardLayout=(User Profile) in the wfclient.ini file, the vdime virtual driver detects the active keyboard layout on the client and sends the information to VDA. When the keyboard layout changes in a client session, the vdime is aware and sends the new layout to VDA immediately.

To disable this feature, set KeyboardSync=Off in the module.ini file to revert to the earlier behavior. In the earlier behavior, the keyboard layout is read from the $HOME/.ICAClient/wfclient.ini file and sent to the VDA along with other client information when the session starts.


With this feature enabled, when the keyboard layout changes on the client device during a session, the keyboard layout of the session changes accordingly.

Keyboard layout support for Windows VDA and Linux VDA


The Linux keyboard locale for all the references in the following table is a hyphen.

Linux Keyboard Layout Linux Keyboard / Linux VDA layout Windows Locale Windows Keyboard ID Linux VDA Layout
ara - ar-SA 00000401 ara
ara azerty ar-DZ 00020401 ara
at - de-AT 00000407 at
be iso-alternate fr-BE 0000080c be
be - nl-BE 00000813 be
bg - bg-BG 00030402 bg
bg phonetic bg-BG 00040402 bg
bg bas_phonetic bg-BG 00020402 bg
br - pt-BR 00000416 br
by - be-BY 00000423 by
ca eng en-CA 00000409 ca
ca multix fr-CA 00011009 ca
ca fr-legacy fr-CA 00000c0c ca
ca - fr-CA 00001009 ca
ch fr fr-CH 0000100c ch
ch - de-CH 00000807 ch
cn - en-US 00000409 us
cz - cs-CZ 00000405 cz
cz qwerty cs-CZ 00010405 cz
de - de-DE 00000407 de
de mac de-DE 00000407 de
dk - da-DK 00000406 dk
ee - et-EE 00000425 ee
es - es-ES 0000040a es
es mac es-ES 0000040a es
fi - fi-FI 0000040b fi
fr - fr-FR 0000040c fr
fr mac fr-FR 0000040c fr
gb - en-GB 00000809 gb
gb mac en-GB 00000809 gb
gb extd en-GB 00000452 gb
gr - el-GR 00000408 gr
hr - hr-HR 0000041a hr
hu - hu-HU 0000040e hu
ie - en-IE 00001809 ie
il - he-IL 0002040d il
in eng en-IN 00004009 in
iq - ar-IQ 00000401 iq
is - is-IS 0000040f is
it - it-IT 00000410 it
jp - en-US 00000409 us
jp mac en-US 00000409 us
kr - en-US 00000409 us
latam - es-MX 0000080a latam
lt - lt-LT 00010427 lt
lt ibm lt-LT 00000427 lt
lt std lt-LT 00020427 lt
lv - lv-LV 00020426 lv
no - nb-NO 00000414 no
pl - pl-PL 00000415 pl
pl qwertz pl-PL 00010415 pl
pt - pt-PT 00000816 pt
pt mac pt-PT 00000816 pt
ro std ro-RO 00010418 ro
rs - sr-Cyrl-RS 00000c1a rs
rs latin sr-Latn-RS 0000081a rs
ru - ru-RU 00000419 ru
ru typewriter ru-RU 00010419 ru
ru mac ru-RU 00000419 ru
se - sv-SE 0000041d se
se mac sv-SE 0000041d se
si - sl-SI 00000424 si
sk - sk-SK 0000041b sk
sk qwerty sk-SK 0001041b sk
th - th-TH 0000041e th
th pat th-TH 0001041e th
tj - tg-Cyrl-TJ 00000428 tj
tr - tr-TR 0000041f tr
tr f tr-TR 0001041f tr
tw - en-US 00000409 us
ua - uk-UA 00000422 ua
us - en-US 00000409 us
us mac en-US 00000409 us
us dvorak en-US 00010409 us
us dvorak-l en-US 00030409 us
us dvorak-r en-US 00040409 us
us intl nl-NL 00020409 us
vn - vi-VN 0000042a vn

VDA keyboard layout

The VDA keyboard layout feature helps you use the VDA keyboard layout regardless of the client’s keyboard layout settings. It supports the following types of keyboard: PC/XT 101, 102, 104, 105, 106.

To use the server-side keyboard layout:

  1. Launch the wfclient.ini file.

  2. Change the value of the KeyboardLayout attribute as below:

    KeyboardLayout=(Server Default)

    The default value for KeyboardLayout attribute is (User Profile).

  3. Relaunch the session for the changes to take effect.

File type association

A Citrix Virtual Apps Services may also publish a file, rather than an application or desktop. This process is referred to as publishing content, and allows pnabrowse to open the published file.

There is a limitation to the type of files that are recognized by Citrix Workspace app for Linux. For the system to recognize the file type of the published content and for users to view it through Citrix Workspace app, a published application must be associated with the file type of the published file. For example, to view a published Adobe PDF file using Citrix Workspace app, an application such as Adobe PDF Viewer must be published. Unless a suitable application is published, users cannot view the published content.

To enable FTA on the client-side:

  1. Ensure that the app that you want to associate is a favorite or a subscribed application.
  2. To get the list of published applications and the server URL, run the commands:

    ./util/storebrowse -l
    ./util/storebrowse -S <StoreFront URL>
  3. Run the ./util/ctx_app_bind command with the following syntax:

    ./util/ctx_app_bind [-p] example_file|MIME-type published-application [server|server-URI]

    for example, ./util/ctx_app_bind a.txt BVT_DB.Notepad_AWTSVDA-0001 https://awddc1.bvt.local/citrix/store/discovery

  4. Ensure that the file you are attempting to open is client drive mapping (CDM) enabled.
  5. Double-click the file to open it using the associated application.

Associating a published application with file types

Citrix Workspace app reads and applies the settings configured by administrators in Citrix Studio.


Ensure that you connect to the Store server where the FTA is configured.

To link a file name extension with a Citrix Workspace app for Linux application:

  1. Publish the application.
  2. Log on to Citrix Studio.
  3. Right-click the application and select Properties.
  4. Select Location.
  5. Add “%**” in the Command-line argument (optional) field to bypass the command-line validation and then click OK.

    Image of FTA location

  6. Right-click the application and select Properties.
  7. Select File Type Association.
  8. Select all the extensions that you want Citrix Workspace app to associate with the application. Image of FTA extensions
  9. Click Apply and Update file types.
  10. Follow the steps mentioned in File type association to enable FTA on the client-side.


Ensure StoreFront file type association is ON. By default, file type association is enabled.

Support for Citrix Analytics

Citrix Workspace app for Linux is instrumented to securely transmit logs to Citrix Analytics when certain events are triggered by the app. The logs are analyzed and stored on Citrix Analytics servers when enabled. For more information about Citrix Analytics, see Citrix Analytics.

Transparent user interface

The Citrix ICA protocol uses Transparent User Interface Virtual Channel [TUI VC] protocol to transmits data between Citrix Virtual Apps and Desktops and host servers. The TUI protocol transmits user interface [UI] component messages for remote connections.

Citrix Workspace app for Linux supports the TUI VC feature. This feature helps the client to receive the TUI packets sent by the server, and the client can access the UI-related components. This functionality helps you to control the display of the default overlay screen. You can toggle the VDTUI flag in the module.ini file: VDTUI - On/Off

For more information on Virtual Channels, see Citrix ICA virtual channels in Citrix Virtual Apps and Desktops documentation.