System requirements and compatibility

Requirements

Hardware requirements

Linux kernel:

  • Version 2.6.29 or later

Disk space:

  • A minimum of 55 MB
  • An extra 110 MB if you expand/extract the installation package on the disk
  • A minimum of 1 GB RAM for system-on-a-chip (SoC) devices that use HDX MediaStream Flash Redirection

Color video display:

  • 256 color video display or greater

Supported Linux distributions

Citrix Workspace app for Linux are supported on following Linux distributions:

Citrix Workspace app version Linux distribution
2411



RHEL 9.4 x86-64
Ubuntu 2204 x86-64
Ubuntu 2404 x86-64
Raspberry Pi OS Bullseye, arm64
Debian 11.9 x86-64
2408


RHEL 9.4 x86-64
Ubuntu 2204 x86-64
Raspberry Pi OS Bullseye, arm64
Debian 11.9 x86-64

Support for Ubuntu 2404

To support Citrix Workspace app for Linux on Ubuntu 2404, backporting the webkit2gtk library is required. Follow the steps below to backport the library based on your architecture:

For x64 architecture:

  1. Add the following entry in /etc/apt/sources.list:

    deb http://gb.archive.ubuntu.com/ubuntu jammy main

  2. Install the library:

    sudo apt update

    sudo apt install libwebkit2gtk-4.0-dev

  3. Post successful installation of the library libwebkit2gtk-4.0-dev, remove the following entry from the list:

    deb http://gb.archive.ubuntu.com/ubuntu jammy main

For arm64 architecture:

  1. Add the following entry in /etc/apt/sources.list:

    deb [arch=arm64] http://ports.ubuntu.com/ jammy main multiverse universe

  2. Install the library:

    sudo apt update

    sudo apt install libwebkit2gtk-4.0

  3. Post successful installation of the library libwebkit2gtk-4.0-dev, remove the following entry from the list.

    deb [arch=arm64] http://ports.ubuntu.com/ jammy main multiverse universe

Note:

If this does not work due to dependencies, install pixbuf-2.40 separately:

sudo apt install libgdk-pixbuf-2.0-0=2.40.0+dfsg-3

Libraries and codec

Libraries:

  • glibcxx 3.4.25 or later
  • glibc 2.27 or later
  • gtk 3
  • gtk 2 (2.20.1 or later)
  • libcap1 or libcap2
  • libva2
  • libjson-c (for instrumentation)
  • X11 or X.Org (Wayland isn’t supported)
  • udev support
  • Advanced Linux Sound Architecture (ALSA) libasound2
  • PulseAudio
  • UIDialogLib3.so

Self-service user interface:

  • webkit2gtk 2.16.6 or later
  • libxml2 2.7.8
  • libxerces-c 3.1

Codec libraries:

  • Speex
  • Vorbis codec libraries

Red Hat Package Manager (RPM) based distribution requirements:

  • chkconfig

Network requirements

Network protocol:

  • TCP/IP

H.264 requirements

For x86 devices:

  • A minimum processor speed of 1.6 GHz

For the HDX 3D Pro feature:

  • A minimum processor speed of 2 GHz
  • A native hardware with accelerated graphics driver

For ARM devices:

  • A hardware H.264 decoder is required for both general H.264 support and HDX 3D Pro

HDX MediaStream Flash Redirection

For all HDX MediaStream Flash Redirection requirements, see Knowledge Center article CTX134786.

We recommend that you test the article with the latest plug-in before deploying a new version to take advantage of the latest functionality and security-related fixes.

Authentication requirements

cURL 7.68 or later with OpenSSL for cloud authentication.

Customer Experience Improvement Program (CEIP) integration requirements

  • zlib 1.2.3.3
  • libtar 1.2 or later
  • libjson 7.6.1 or later

HDX RealTime webcam video compression requirements

  • A Video4Linux compatible webcam
  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution’s “plugins-good” package

    Or,

  • GStreamer 1.0 (or a later 1.x version), including the distribution’s “plugins-base”, “plugins-good”, “plugins-bad”, “plugins-ugly”, and “gstreamer-libav” packages

HDX MediaStream Windows Media redirection requirements

  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution’s “plugins-good” package. In general, version 0.10.15 or later is sufficient for HDX MediaStream Windows Media Redirection

    Or,

  • GStreamer 1.0 (or a later 1.x version), including the distribution’s “plugins-base”, “plugins-good”, “plugins-bad”, “plugins-ugly”, and “gstreamer-libav” packages

Notes:

  • If GStreamer isn’t included in your Linux distribution, you can download it from the GStreamer page.
  • Use of certain codes (for example, as in “plugins-ugly”) might require a license from the manufacturer of that technology. Contact your system administrator for help.

Browser content redirection requirements

  • webkit2gtk version 2.16.6

Philips SpeechMike requirements

  • Visit the Philips website to install the relevant drivers

App Protection requirements

App Protection works best with the following Operating Systems along with the Gnome Display Manager:

  • 64-bit Ubuntu 18.04, Ubuntu 20.04, and Ubuntu 22.04
  • 64-bit Debian 9 and Debian 10
  • 64-bit CentOS 7
  • 64-bit RHEL 7
  • ARMHF 32-bit Raspberry Pi OS (Based on Debian 10 (buster))
  • ARM64 Raspberry Pi OS (Based on Debian 11 (bullseye))

Note:

  • If you’re using Citrix Workspace app earlier than version 2204, the App Protection feature does not support the operating systems that use glibc 2.34 or later.
  • On Ubuntu 20.04.5 or later, when you double-click the .deb package file, the Snap Store installer opens. This installer doesn’t support user prompts. So, you must install the Citrix Workspace app using the command line in a terminal or using other software installers like gnome-software, gdebi, and synaptics.

Microsoft Teams optimization requirements

Minimum version:

  • Citrix Workspace app 2006

Software:

  • GStreamer 1.0 or later and Cairo 2
  • libc++-9.0 or later
  • libgdk 3.22 or later
  • OpenSSL 1.1.1d
  • libnsl
  • Ubuntu 20.04 or later

Hardware:

  • A minimum 1.8 GHz dual-core CPU that can support 720p HD resolution during a peer-to-peer video conference call
  • A dual or quad-core CPU with a base speed of 1.8 GHz and a high Intel Turbo Boost speed of at least 2.9 GHz

Authentication enhancement:

  • Libsecret library
  • libunwind-12 library

Service continuity requirements

Starting with Version 2106, you can install Service Continuity on the Debian version of Citrix Workspace app.

Run the following commands from the terminal before installing Citrix Workspace app:

sudo apt-get update -y

Mandatory preinstalled libraries:

  • libwebkit2gtk-4.0-37 version 2.30.1 or later

    • If you’re using Debian, run the following command:

       sudo apt-get install libwebkit2gtk-4.0-37
       <!--NeedCopy-->
      
    • If you’re using RPM, run the following command:

       sudo yum install libwebkit2gtk-4*
       <!--NeedCopy-->
      
    • For Ubuntu, RHEL, SUSE, Fedora, or Debian, Citrix recommends you to install the latest libwebkit2gtk-4.0-37 version 2.30.1 or later.
    • For the Raspberry Pi with Buster OS, Citrix recommends you to install the libwebkit2gtk-4.0-37 version 2.30.1.
  • gnome-keyring version 3.18.3 or later

    • If you’re using Debian, run the following command:

       sudo apt-get install gnome-keyring
       <!--NeedCopy-->
      
    • If you’re using RPM, run the following command:

       sudo yum install gnome-keyring
       <!--NeedCopy-->
      
  • Libsecret

    • If you’re using Debian, run the following command:

       sudo apt-get install libsecret-1-0
       <!--NeedCopy-->
      
    • If you’re using RPM, run the following command:

       sudo yum install libsecret-1*
       <!--NeedCopy-->
      

Notes:

Following the 1910 version, Citrix Workspace app works as expected only if the operating system meets the following GCC version criteria:

  • GCC version for x64 architecture: 4.8 or later
  • GCC version for ARMHF architecture: 4.9 or later

Following the 2101 version, Citrix Workspace app works as expected only if the operating system meets the following requirements:

  • GCC version 4.9 or later
  • glibcxx 3.4.20 or later

Following the 2209 version, Citrix Workspace app works as expected only if the operating system meets the following requirement:

glibcxx 3.4.25 or later

Compatibility matrix

Citrix Workspace app is compatible with all currently supported versions of the Citrix products.

For information about the Citrix product lifecycle, and to find out when Citrix stops supporting specific versions of products, see the Citrix Product Lifecycle Matrix.

Server requirements

StoreFront

  • You can use all currently supported versions of Citrix Workspace app to access StoreFront stores from both internal network connections and through Citrix Gateway:
    • StoreFront 1811 and later.
    • StoreFront 3.12.
  • You can use StoreFront configured with the workspace for web. The workspace for web provides access to StoreFront stores from a web browser. For the limitations of this deployment, see Important considerations in the StoreFront documentation.

Connections and certificates

Connections

Citrix Workspace app for Linux supports HTTPS and ICA-over-TLS connections through any one of the following configurations.

  • For LAN connections:

    • StoreFront using StoreFront services or workspace for web
  • For secure remote or local connections:

    • Citrix Gateway 12.0 and later
    • NetScaler Gateway 10.1 and later
    • NetScaler Access Gateway Enterprise Edition 10
    • Netscaler Access Gateway Enterprise Edition 9.x
    • Netscaler Access Gateway VPX

    For information about the Citrix Gateway versions supported by StoreFront, see System requirements of StoreFront.

Certificates

To ensure secure transactions between server and client, use the following certificates:

Private (self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device. This installation helps to access Citrix resources using Citrix Workspace app.

Note:

An untrusted certificate warning appears, if the remote gateway’s certificate can’t be verified upon connection. This verification might fail since the root certificate isn’t included in the local key store. If you choose to continue through the warning, the apps are displayed but can’t be launched. The root certificate must be installed in the client’s certificate store.

Root certificates

For domain-joined machines, use the Group Policy Object administrative template to distribute and trust CA certificates.

For non-domain joined machines, create a custom install package to distribute and install the CA certificate. Contact your system administrator for assistance.

Install root certificates on user devices

To use TLS, you need a root certificate on the user device that can verify the signature of the Certificate Authority on the server certificate. By default, Citrix Workspace app supports the following certificates.

Certificate Issuing Authority
Class4PCA_G2_v2.pem Verisign Trust Network
Class3PCA_G2_v2.pem Verisign Trust Network
BTCTRoot.pem Baltimore Cyber Trust Root
GTECTGlobalRoot.pem GTE Cyber Trust Global Root
Pcs3ss_v4.pem Class 3 Public Primary Certification Authority
GeoTrust_Global_CA.pem GeoTrust
DigiCertGlobalRootCA.pem DigiCert Global Root CA

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app supports wildcard certificates, however they must only be used following your organization’s security policy.

Alternatives to wildcard certificates, such as a certificate that includes the list of server names within the Subject Alternative Name (SAN) extension, can be considered. Both private and public certificate authorities issue such certificates.

Append intermediate certificate to Citrix Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. For information, see Configuring Intermediate Certificates in the Citrix Gateway documentation.

If your StoreFront server fails to provide the intermediate certificates that match the certificate it’s using, or you install intermediate certificates to support smart card users, follow these steps before adding a StoreFront store:

  1. Get one or more intermediate certificates separately in PEM format.

    Tip:

    If you can’t find a certificate in the .pem file extension, use the openssl utility to convert a certificate to the .pem file extension.

  2. When you install the package (usually root):

    1. Copy one or more files to $ICAROOT/keystore/intcerts.

    2. Run the following command after you installed the package:

      $ICAROOT/util/ctx_rehash

Joint server certificate validation policy

Citrix Workspace app has a stricter validation policy for server certificates.

Important:

Before installing Citrix Workspace app, confirm that the certificates on the server or gateway are correctly configured as described here. Connections might fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Workspace app uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace app versions, it verifies that the certificates are trusted. If any certificate is untrusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause the Citrix Workspace app connection to fail.

If a gateway is configured with these valid certificates, use the following configuration for stricter validation. This configuration determines exactly which root certificate the Citrix Workspace app uses:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Example Root Certificate

Citrix Workspace app verifies all these certificates are valid. Citrix Workspace app also verifies that it already trusts the Example Root Certificate. If Citrix Workspace app does not trust the Example Root Certificate, the connection fails.

Important:

  • Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (DigiCert/GTE CyberTrust Global Root and DigiCert Baltimore Root/Baltimore CyberTrust Root) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (DigiCert Baltimore Root/Baltimore CyberTrust Root).
  • If you configure the GTE CyberTrust Global Root certificate at the gateway, Citrix Workspace app connections on those user devices fail. Consult the certificate authority’s documentation to determine which root certificate must be used. Also note that root certificates eventually expire, as do all certificates.
  • Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

If a gateway is configured with these valid certificates, we can use the following configuration, leaving out the root certificate:

  • Example Server Certificate

  • Example Intermediate Certificate

Citrix Workspace app uses these two certificates. It searches for a root certificate on the user device. If Citrix Workspace app finds a root certificate that validates correctly, and is also trusted (such as Example Root Certificate), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app needs, but also allows Citrix Workspace app to choose any valid, trusted, root certificate.

If a gateway is configured with these certificates:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Wrong Root Certificate

A web browser might ignore the wrong root certificate. However, Citrix Workspace app does not ignore the wrong root certificate, and the connection fails.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is configured with all the intermediate certificates (but not the root certificate) such as:

  • Example Server Certificate

  • Example Intermediate Certificate 1

  • Example Intermediate Certificate 2

Important:

  • Some certificate authorities use a cross-signed intermediate certificate. This certificate is used where there’s more than one root certificate, and an earlier root certificate is still in use as a later root certificate. In this case, there are at least two intermediate certificates. For example, the earlier root certificate Class 3 Public Primary Certification Authority has the corresponding cross-signed intermediate certificate Verisign Class 3 Public Primary Certification Authority - G5. However, a corresponding later root certificate Verisign Class 3 Public Primary Certification Authority - G5 is also available, which replaces the Class 3 Public Primary Certification Authority. The later root certificate does not use a cross-signed intermediate certificate.
  • The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But the cross-signed intermediate certificate has a different Issuer name (Issued By). This difference distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such as Example Intermediate Certificate 2).

This configuration, leaving out the root certificate and the cross-signed intermediate certificate, is recommended:

  • Example Server Certificate

  • Example Intermediate Certificate

Avoid configuring the gateway to use the cross-signed intermediate certificate, because it selects the earlier root certificate:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Example Cross-signed Intermediate Certificate [not recommended]

It isn’t recommended to configure the gateway with only the server certificate:

  • Example Server Certificate

In this case, if Citrix Workspace app can’t locate all the intermediate certificates, the connection fails.

Supports system certificate paths for SSL connection

Previously, Citrix Workspace app supported only the opt/Citrix/ICAClient/keystore path as system certificate path. This path was a hardcode path to store Citrix predefined certificates. However, sometimes, certificate authority (CA) certificates are placed in the system certificates path in different linux distributions. To add these system certificate paths, customers had to make a soft link and replace /opt/Citrix/ICAClient/keystore.

With this release, Citrix Workspace app supports multiple system certificate paths. The following are the default system certificate paths supported for SSL connection:

"/var/lib/ca-certificates",
"/etc/ssl/certs",
"/system/etc/security/cacerts",
"/usr/local/share/cert",
"/etc/pki/tls/certs",
"/etc/openssl/certs",
"/var/ssl/certs",
ICAROOT() + "/keystore/cacerts"
<!--NeedCopy-->

In addition to the default system certified path, you can also add your own certified path by adding the Certpath field in the AuthManConfig.xml file as follows:

<!--Cert bundle file for Selfservice with AuthManLite. -->
<Certfile></Certfile>
<!--Cert folder path for Selfservice with AuthManLite.-->
<Certpath></Certpath>
<!--NeedCopy-->

This feature simplifies the certificate management process on the client side and improves the user experience. Citrix Workspace app for Linux supports multiple system certificate paths for SSL connection. This feature eliminates the need to create a soft link.

Workspacecheck

We provide a script, workspacecheck.sh, as part of the Citrix Workspace app installation package. The script checks whether your device meets all the system requirements in support of the functionalities of Citrix Workspace app. The script is in the Utilities directory of the installation package.

To run the workspacecheck.sh script

  1. Open the terminal in your Linux machine.
  2. Type cd $ICAROOT/util and press Enter to navigate to the Utilities directory of the installation package.
  3. Type ./workspacecheck.sh to run the script.

Out-of-support applications and operating systems

Citrix does not offer support in the context of applications and operating systems that are no longer supported by their vendors.

While attempting to address and resolve a reported issue, Citrix assesses whether the issue directly relates to an out-of-support application or operating system. To help in making that determination, Citrix might ask you to attempt to reproduce an issue using the supported version of the application or operating system. If the issue seems to be related to the out-of-support application or operating system, Citrix will not investigate the issue further.

System requirements and compatibility