Product documentation
Citrix Workspace™ app for Linux
View PDF

Citrix Workspace app for Linux 2604 - Preview

May 29, 2026
Contributed by: 
S C S

You can download Citrix Workspace app for Linux 2604 preview version from the Downloads page.

Note:

This is an Early Access Build shared for the purpose of testing or validation with the intent to make organizations ready for the upcoming release and is NOT advised to be deployed in production environments.

What’s new

The following is a list of features that are available in Citrix Workspace app 2604 for Linux:

Enhanced Browser Content Redirection with Server-Side Certificate validation

Starting with Citrix Workspace app 2604 for Linux, Browser Content Redirection is further enhanced with certificate validation support. When accessing a redirected website from the client, the client overlay browser may not trust the certificate from the server or the MitM proxy. In such cases, BCR can now validate the Host or Proxy certificates against the VDAs certificate store.

For more information, see Server-side certificate validation document.

Requirements

This feature is enabled by default, and no configuration is necessary once the following requirements are met:

  • CVAD 2507 LTSR or later, or CVAD 2511 CR or later
  • CWA Linux 2604 or later
  • Browser Redirection Extension (Chrome or Edge) 25.11 or later

Browser Content Redirection with Single Sign-On Support

Starting with Citrix Workspace app 2604 for Linux, Browser Content Redirection now offers a streamlined user experience with single sign-on support, enabling VDA-side authentication and cookie sharing. This enhancement eliminates redundant logins, boosting productivity by maintaining authentication and cookie persistence across BCR sessions, even after the BCR window is closed. This seamless experience further enhances security by ensuring authentication originates from the VDA, not the client.

For more information, see the Browser Content Redirection documentation.

Entra ID single sign-on for NetScaler Gateway stores

Starting with Citrix Workspace app 2604 for Linux, you can configure Entra ID single sign-on (SSO) for on-premises stores that are accessed through a NetScaler Gateway. This enhancement lets users launch virtual apps and desktops without re-entering their Entra ID credentials.

Install dependencies

Install the following packages if they are not already present on the endpoint.

For Ubuntu or Debian:

sudo apt install gnome-keyring libsecret-1-0 libwebkit2gtk-4.0-37
<!--NeedCopy-->

For RHEL or Fedora:

sudo dnf install gnome-keyring libsecret-1-0 libwebkit2gtk-4.0-37
<!--NeedCopy-->

For openSUSE:

sudo zypper install gnome-keyring libsecret-1-0 libwebkit2gtk-4.0-37
<!--NeedCopy-->

Configure Entra ID SSO

All Entra ID SSO settings are available in /opt/Citrix/ICAClient/config/AuthManConfig.xml.

Edit the file with root privileges:

sudo vi /opt/Citrix/ICAClient/config/AuthManConfig.xml
<!--NeedCopy-->

Configure the following settings as needed:

  • PersistCookies: Persists Entra ID SSO cookies in memory when the authentication window closes. The default value is false.
  • AADSSOEnabled: Enables or disables Entra ID SSO. The default value is true.
  • AADSSOWithFido2AuthenticationEnabled: Uses the system browser for authentication instead of the built-in WebKitGTK window. The default value is false.
  • SharedAuthContextEnabled: Persists Entra ID cookies across app launches in the same user session. The default value is false.
  • EnableBypassGateway: Reuses the AAD-issued gateway cookie (NSC_AAAC) to bypass interactive NetScaler Gateway authentication. The default value is false.

Example:

<PersistCookies>true</PersistCookies>

<key>AADSSOEnabled</key>
<value>true</value>

<key>AADSSOWithFido2AuthenticationEnabled</key>
<value>false</value>

<key>SharedAuthContextEnabled</key>
<value>true</value>

<key>EnableBypassGateway</key>
<value>true</value>
<!--NeedCopy-->

How it works

Self-Service UI

Launch Citrix Workspace app for Linux from the application menu or by running:

/opt/Citrix/ICAClient/selfservice
<!--NeedCopy-->

Use the following workflow:

  1. Sign in to the NetScaler Gateway store.
  2. Launch an application or desktop.
  3. Complete Entra ID authentication in the WebKitGTK window the first time that you launch a resource.
  4. Start the session without entering credentials again on the VDA.

When PersistCookies is true, Citrix Workspace app reuses the Entra ID session for subsequent launches in the same session. When EnableBypassGateway is true, the NetScaler Gateway authentication step is also skipped by reusing the NSC_AAAC cookie that was obtained during the Entra ID sign-in flow.

Storebrowse

storebrowse provides the same Entra ID SSO experience from the command line.

Use the following workflow:

  1. Add the NetScaler Gateway store:

    /opt/Citrix/ICAClient/util/storebrowse --addstore "https://gateway.example.com"
<!--NeedCopy-->

  2. List the configured stores:

    /opt/Citrix/ICAClient/util/storebrowse --liststore
<!--NeedCopy-->

  3. List the published applications:

    /opt/Citrix/ICAClient/util/storebrowse -E "https://gateway.example.com/Citrix/Store/discovery"
<!--NeedCopy-->

  4. Launch an application:

    /opt/Citrix/ICAClient/util/storebrowse -L "Citrix.MPS.Desktop.Notepad" "https://gateway.example.com/Citrix/Store/discovery"
<!--NeedCopy-->

  5. Complete Entra ID authentication when the authentication window appears on the first launch.

On the first launch, an Entra ID authentication window appears. After the user authenticates, Citrix Workspace app acquires the SSO token and embeds it in the session so that the VDA does not prompt for credentials. If EnableBypassGateway is true, the gateway authentication step is skipped by reusing the NSC_AAAC cookie.

Shared workstation mode

For kiosk or shared Linux thin-client deployments, enable shared user mode:

/opt/Citrix/ICAClient/util/storebrowse -c SharedUserMode=True
<!--NeedCopy-->

Authentication methods

Built-in window

By default, Citrix Workspace app uses a WebKitGTK window for Entra ID authentication. No additional software is required beyond the standard dependencies. When SharedAuthContextEnabled is true, the built-in window uses the same cookie context as the store webview. Cookies are stored in a persistent SQLite database that WebKitGTK manages. Each authentication attempt uses a 30-second timeout.

System browser

Set AADSSOWithFido2AuthenticationEnabled=true to use the system browser instead of the built-in window. The browser redirects back to Citrix Workspace app through the ctxaadsso:// protocol handler.

Use the system browser in the following cases:

  • Your organization requires FIDO2 security key authentication.
  • Conditional Access policies require a specific browser.
  • Browser-based smart card or certificate authentication is required.

Supported browsers are Google Chrome, Chromium, Mozilla Firefox, and Microsoft Edge for Linux. Citrix Workspace app registers the ctxaadsso:// protocol handler automatically during installation by using the desktop file at /opt/Citrix/ICAClient/desktop/ctxaadsso.desktop.

Removal of Citrix Enterprise Browser

Starting with Citrix Workspace app 2604 for Linux, the Citrix Enterprise Browser (CEB) is removed from the CWA-L package, along with the related setup components. For FIDO2 sign-ins, authentication now occurs in the system default web browser instead of CEB. This change simplifies the sign-in experience and aligns it with standard browser-based authentication.

Google Chrome support for FIDO2 authentication

Starting with Citrix Workspace app 2604 for Linux, you can use Google Chrome for FIDO2 cloud authentication.

To configure Google Chrome for FIDO2 authentication, add the following setting to AuthManConfig.xml:

<FIDO2AuthBrowser>google-chrome</FIDO2AuthBrowser>
<!--NeedCopy-->

Enhanced call connects times with UCSDK Optimization

Starting with Citrix Workspace app 2604 for Linux, the Smart Sync feature introduced in Unified Communications SDK (UCSDK) 5.0.0 accelerates call connection times by streamlining communication between the VDA and the client endpoint. This enhancement delivers faster call setup across the board, with the most significant performance improvements in high-latency network environments.

For more information, see UCSDK documentation.

Service continuity for connectorless workloads

Starting with Release 2604, Citrix Workspace app for Linux supports Service Continuity for connectorless workloads. This enhancement helps users maintain access to their connectorless resources during an outage.

For information about how to configure Service Continuity, see Service continuity.

Shortcuts menu for macOS VDA

Starting with Citrix Workspace app 2604 for Linux, users connecting to a macOS VDA can access the Shortcuts menu in the session toolbar for quick access to common operating system actions without requiring complex keyboard shortcuts or trackpad gestures.

Note:

The Shortcuts menu appears only when the endpoint is connected to a macOS VDA.

The Shortcuts menu includes the following options:

  • Mission Control
  • App Expose
  • Launchpad
  • Show Desktop
  • Restart Citrix Services

  • Restart macOS

    Shortcuts List

Scanner workflow optimization

Starting with Citrix Workspace app 2604 for Linux, scanner redirection improves scan performance by caching SANE initialization and device-list responses to reduce repeated communication between components. It also improves recovery from scanner faults, such as paper jams, to help prevent pipe read blocks, and uses the latest IcaGenScan SDK APIs.

EDT Lossy support with Secure HDX 2.0

Starting with Citrix Workspace app 2604 for Linux, direct CWA-to-VDA connections now support Enlightened Data Transport (EDT) Lossy with Secure HDX 2.0. Previously, EDT Lossy was available only with Datagram Transport Layer Security (DTLS) or HDX Direct.

Dual VCSDK binary sets for Linux (Technical Preview)

Starting with Citrix Workspace app 2604 for Linux, the Virtual Channel SDK (VCSDK) package includes two Linux binary sets instead of one so that you can choose the build that matches your target environment.

Citrix Workspace app for Linux 2604 continues to use GCC 8. The VCSDK package also includes a GCC 11 build as a Technical Preview.

Folder Built with When to use
linux64 GCC 11 Technical Preview only. Requires glibc 2.35 or later.
linux64_gcc8 GCC 8 Recommended. Matches the main Citrix Workspace app 2604 for Linux build and supports older glibc versions.

For most use cases, use linux64_gcc8. Use linux64 only for Technical Preview validation on systems with glibc 2.35 or later.

Removal of GCC 8 support on ARM64 devices

Starting with version 2604, Citrix Workspace app for Linux no longer supports GCC 8 on ARM64 devices.

Dual CWA package sets for Linux (Technical Preview)

Starting with Citrix Workspace app for Linux 2604, the package includes two Linux package sets instead of one so that you can choose the build that matches your target environment.

Package line Built with When to use
GCC 8 package line GCC 8 Uses the renamed packages with the gcc-8 suffix and supports older glibc versions.
GCC 11 package line GCC 11 Technical Preview only. Uses the original package names. Use for newer runtime environments such as Ubuntu 24.04 and later. Requires glibc 2.35 or later.

The GCC 8 package line includes:

  • icaclient-gcc-8_26.04.0.49_amd64.deb
  • ICAClient-rhel-gcc-8-26.04.0.49-0.x86_64.rpm
  • ICAClient-suse-gcc-8-26.04.0.49-0.x86_64.rpm
  • linuxx64-gcc-8-26.04.0.49.tar.gz
  • ctxusb-gcc-8_26.04.49._amd64.deb
  • ctxusb-gcc-8-26.04.0.-1.x86_49.rpm

System requirements and compatibility

Consider the following compatibility details when you choose a package line:

  • The GCC 11 package line is intended for newer environments such as Ubuntu 24.04 and later.
  • The GCC 8 package line can be used on Ubuntu 24.04 and earlier.
  • The GCC 8 package line uses renamed packages with the gcc-8 suffix and continues with webkit2gtk-4.0 and libsoup-2.4.
  • The GCC 11 package line uses the original package names.
  • The GCC 11 package line uses updated dependency tracks such as webkit2gtk-4.1 and libsoup-3.0.

For GCC 11 builds, install the following packages if they are not already present:

sudo apt install libsoup-3.0-dev libwebkit2gtk-4.1-dev
<!--NeedCopy-->

RHEL 8 and RHEL 9 support only the GCC 8 package line because they use older glibc versions. ARM64 platforms, such as Raspberry Pi 4, support only the GCC 11 package line.

You can download the GCC 11 Technical Preview package from the Downloads page.

Fixed issues

  • For Boot-to-VDI sessions, the system time displayed on the lock screen might become frozen and not update after logout, which can cause confusion on shared client devices. [CVADHELP‑31860]
  • When the Boot-to-VDI login screen remains inactive for some time, you might see an AM_ERROR_AUTH_CANCELLED_BY_USER message or a similar message instead of a clear login timeout message prompting you to reconnect and sign in again. [CVADHELP‑32070]
  • You might notice that launching Citrix Workspace app a second time while sign-in to a Citrix Cloud or Workspace store is still in progress makes the app unresponsive or displays a blank window. [CVADHELP-31992]
  • Nuance PowerMic devices redirected into an HDX session after session launch might have non-functional HID buttons inside the session, such as in Dragon Medical One.[HDX-101227]
  • On Linux clients such as eLux and Ubuntu, a phantom drive letter, such as D:\, might appear in the session through dynamic Client Drive Mapping (CDM) even when no USB storage device is connected. [CVADHELP-32425]
  • In multi-monitor fullscreen sessions, repeatedly clicking Extend to all displays might cause the toolbar to expand and move off-screen, making both the toolbar and its collapsed notch inaccessible. [CVADHELP-31897]
  • On eLux thin clients, a session window might move to the wrong monitor when a monitor is connected or disconnected, or when the laptop lid is closed and reopened. [HDX-104082]
  • A seamless window might disappear immediately after it pops up when it carries all three style attributes simultaneously: WS_POPUP, WS_EX_TOOLWINDOW, and WS_EX_NOINHERITLAYOUT. [CVADHELP-30425]
  • When a proxy is configured to use the NTLM authentication protocol, the connection might fail with the following error message: No Supported Authentication Method. [CVADHELP-31646]
  • Launching a published or hosted application on Citrix Workspace app for Linux might fail with the following error message: Network data corrupted - HDX has detected corrupted server data when connecting to a legacy VDA such as XenApp/XenDesktop 7.15 LTSR. [CVADHELP-32516]

Known issues

  • You might find that certain pop-up windows of a custom web application fail to open or render correctly in a desktop session. This issue occurs when the VDA switches the desktop into multi-touch mode, which suppresses the synthetic mouse events that the web application’s pop-up logic relies on. As a workaround, do the following:

    1. Edit /opt/Citrix/ICAClient/config/module.ini.
    2. Under the [ICA 3.0] section, set MultiTouch=Off.
    3. Reconnect the session for the change to take effect. [CVADHELP-32531]
Citrix Workspace app for Linux 2604 - Preview
May 29, 2026
Contributed by: 
S C S
May 29, 2026
Contributed by: 
S C S

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.