System requirements and compatibility


Hardware requirements

Linux kernel:

  • Version 2.6.29 or later

Disk space:

  • A minimum of 55 MB
  • An extra 110 MB if you expand/extract the installation package on the disk
  • A minimum of 1 GB RAM for system-on-a-chip (SoC) devices that use HDX MediaStream Flash Redirection

Color video display:

  • 256 color video display or greater

Libraries and codec


  • glibcxx 3.4.15 or later
  • glibc 2.11.3 or later
  • gtk 2.20.1 or later
  • libcap1 or libcap2
  • libjson-c (for instrumentation)
  • GCC 4.8 for x64
  • GCC 4.9 for ARMHF
  • X11 or X.Org (Wayland isn’t supported)
  • udev support
  • Advanced Linux Sound Architecture (ALSA) libasound2
  • PulseAudio

Self-service user interface:

  • webkit2gtk 2.16.6 or later
  • libxml2 2.7.8
  • libxerces-c 3.1

Codec libraries:

  • Speex
  • Vorbis codec libraries

Red Hat Package Manager (RPM) based distribution requirements:

  • chkconfig

Network requirements

Network protocol:

  • TCP/IP

H.264 requirements

For x86 devices:

  • A minimum processor speed of 1.6 GHz

For the HDX 3D Pro feature:

  • A minimum processor speed of 2 GHz
  • A native hardware with accelerated graphics driver

For ARM devices:

  • A hardware H.264 decoder is required for both general H.264 support and HDX 3D Pro

HDX MediaStream Flash Redirection

For all HDX MediaStream Flash Redirection requirements, see Knowledge Center article CTX134786.

We recommend that you test the article with the latest plug-in before deploying a new version to take advantage of the latest functionality and security-related fixes.

Customer Experience Improvement Program (CEIP) integration requirements

  • zlib
  • libtar 1.2 or later
  • libjson 7.6.1 or later

HDX RealTime webcam video compression requirements

  • A Video4Linux compatible webcam
  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution’s “plugins-good” package


  • GStreamer 1.0 (or a later 1.x version), including the distribution’s “plugins-base”, “plugins-good”, “plugins-bad”, “plugins-ugly”, and “gstreamer-libav” packages

HDX MediaStream Windows Media redirection requirements

  • GStreamer 0.10.25 (or a later 0.10.x version), including the distribution’s “plugins-good” package. In general, version 0.10.15 or later is sufficient for HDX MediaStream Windows Media Redirection


  • GStreamer 1.0 (or a later 1.x version), including the distribution’s “plugins-base”, “plugins-good”, “plugins-bad”, “plugins-ugly”, and “gstreamer-libav” packages


  • If GStreamer isn’t included in your Linux distribution, you can download it from the GStreamer page.
  • Use of certain codes (for example, as in “plugins-ugly”) might require a license from the manufacturer of that technology. Contact your system administrator for help.

Browser content redirection requirements

  • webkit2gtk version 2.16.6
  • glibcxx 3.4.20 version or later

Philips SpeechMike requirements

  • Visit the Philips website to install the relevant drivers

App protection requirements

App protection works best with the following Operating Systems along with the Gnome Display Manager:

  • 64-bit Ubuntu 18.04+, except Ubuntu 21.10.
  • 64-bit Debian 9+
  • 64-bit CentOS7.5+
  • 64-bit RHEL7.5+
  • ARMHF 32-bit Raspbian 10 (Buster)+


App protection feature does not support the operating systems that use glibc 2.34 or later.

Microsoft Teams optimization requirements

Minimum version:

  • Citrix Workspace app 2006


  • GStreamer 1.0 or later and Cairo 2
  • libc++-9.0 or later
  • libgdk 3.22 or later
  • OpenSSL 1.1.1d
  • x64 Linux distribution


  • A minimum 1.8 GHz dual-core CPU that can support 720p HD resolution during a peer-to-peer video conference call
  • Dual or quad-core CPU with a base speed of 1.8 GHz and a high Intel Turbo Boost speed of at least 2.9 GHz

Authentication enhancement:

  • Libsecret library
  • libunwind-12 library

Service continuity requirements

Mandatory preinstalled libraries:

  • libwebkit2gtk-4.0-37 version 2.30.1 or later
  • For Ubuntu/RHEL/SUSE/Fedora/Debian, we suggest that you install the latest libwebkit2gtk-4.0-37 version 2.30.1 or later.
  • For the Raspberry Pi with Buster OS, we suggest that you install the libwebkit2gtk-4.0-37 version 2.30.1.
  • gnome-keyring version 3.18.3 or later.
  • Libsecret installed


Following the 1910 version, Citrix Workspace app works as expected only if the operating system meets the following GCC version criteria:

  • GCC version for x64 architecture: 4.8 or later
  • GCC version for ARMHF architecture: 4.9 or later

Following the 2101 version, Citrix Workspace app works as expected only if the operating system meets the following requirements:

  • GCC version 4.9 or later
  • glibcxx 3.4.20 or later

Compatibility matrix

Citrix Workspace app is compatible with all currently supported versions of the Citrix products.

For information about the Citrix product lifecycle, and to find out when Citrix stops supporting specific versions of products, see the Citrix Product Lifecycle Matrix.

Server requirements


  • You can use all currently supported versions of Citrix Workspace app to access StoreFront stores from both internal network connections and through Citrix Gateway:
    • StoreFront 1811 and later.
    • StoreFront 3.12.
  • You can use StoreFront configured with the workspace for web. The workspace for web provides access to StoreFront stores from a web browser. For the limitations of this deployment, see Important considerations in the StoreFront documentation.

Connections and certificates


Citrix Workspace app for Linux supports HTTPS and ICA-over-TLS connections through any one of the following configurations.

  • For LAN connections:

    • StoreFront using StoreFront services or workspace for web
  • For secure remote or local connections:

    • Citrix Gateway 12.0
    • NetScaler Gateway 10.1 and later
    • NetScaler Access Gateway Enterprise Edition 10
    • Netscaler Access Gateway Enterprise Edition 9.x
    • Netscaler Access Gateway VPX

    For information about the Citrix Gateway versions supported by StoreFront, see System requirements of StoreFront.


To ensure secure transactions between server and client, use the following certificates:

Private (self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device. This installation helps to access Citrix resources using Citrix Workspace app.


An untrusted certificate warning appears, if the remote gateway’s certificate can’t be verified upon connection. This verification might fail since the root certificate isn’t included in the local key store. If you choose to continue through the warning, the apps are displayed but can’t be launched. The root certificate must be installed in the client’s certificate store.

Root certificates

For domain-joined machines, use the Group Policy Object administrative template to distribute and trust CA certificates.

For non-domain joined machines, create a custom install package to distribute and install the CA certificate. Contact your system administrator for assistance.

Install root certificates on user devices

To use TLS, you need a root certificate on the user device that can verify the signature of the Certificate Authority on the server certificate. By default, Citrix Workspace app supports the following certificates.

Certificate Issuing Authority
Class4PCA_G2_v2.pem Verisign Trust Network
Class3PCA_G2_v2.pem Verisign Trust Network
BTCTRoot.pem Baltimore Cyber Trust Root
GTECTGlobalRoot.pem GTE Cyber Trust Global Root
Pcs3ss_v4.pem Class 3 Public Primary Certification Authority
GeoTrust_Global_CA.pem GeoTrust
DigiCertGlobalRootCA.pem DigiCert Global Root CA

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app supports wildcard certificates, however they must only be used in accordance with your organization’s security policy.

Alternatives to wildcard certificates, such as a certificate that includes the list of server names within the Subject Alternative Name (SAN) extension, can be considered. Both private and public certificate authorities issue such certificates.

Append intermediate certificate to Citrix Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. For information, see Configuring Intermediate Certificates in the Citrix Gateway documentation.

If your StoreFront server fails to provide the intermediate certificates that match the certificate it’s using, or you install intermediate certificates to support smart card users, follow these steps before adding a StoreFront store:

  1. Get one or more intermediate certificates separately in PEM format.


    If you can’t find a certificate in PEM format, use the openssl utility to convert a certificate in CRT format to a .pem file.

  2. When you install the package (usually root):

    1. Copy one or more files to $ICAROOT/keystore/intcerts.

    2. Run the following command after you installed the package:


Joint server certificate validation policy

Citrix Workspace app has a stricter validation policy for server certificates.


Before installing Citrix Workspace app, confirm that the certificates on the server or gateway are correctly configured as described here. Connections might fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Workspace app uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace app versions, it verifies that the certificates are trusted. If any certificate is untrusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app connection to fail.

If a gateway is configured with these valid certificates, use the following configuration for stricter validation. This configuration determines exactly which root certificate the Citrix Workspace app uses:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Example Root Certificate

Citrix Workspace app verifies all these certificates are valid. Citrix Workspace app also verifies that it already trusts the Example Root Certificate. If Citrix Workspace app does not trust the Example Root Certificate, the connection fails.


  • Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (DigiCert/GTE CyberTrust Global Root and DigiCert Baltimore Root/Baltimore CyberTrust Root) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (DigiCert Baltimore Root/Baltimore CyberTrust Root).
  • If you configure the GTE CyberTrust Global Root certificate at the gateway, Citrix Workspace app connections on those user devices fail. Consult the certificate authority’s documentation to determine which root certificate must be used. Also note that root certificates eventually expire, as do all certificates.
  • Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

If a gateway is configured with these valid certificates, we can use the following configuration, leaving out the root certificate:

  • Example Server Certificate

  • Example Intermediate Certificate

Citrix Workspace app uses these two certificates. It searches for a root certificate on the user device. If Citrix Workspace app finds a root certificate that validates correctly, and is also trusted (such as Example Root Certificate), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app needs, but also allows Citrix Workspace app to choose any valid, trusted, root certificate.

If a gateway is configured with these certificates:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Wrong Root Certificate

A web browser might ignore the wrong root certificate. However, Citrix Workspace app does not ignore the wrong root certificate, and the connection fails.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is configured with all the intermediate certificates (but not the root certificate) such as:

  • Example Server Certificate

  • Example Intermediate Certificate 1

  • Example Intermediate Certificate 2


  • Some certificate authorities use a cross-signed intermediate certificate. This certificate is used where there’s more than one root certificate, and an earlier root certificate is still in use as a later root certificate. In this case, there are at least two intermediate certificates. For example, the earlier root certificate Class 3 Public Primary Certification Authority has the corresponding cross-signed intermediate certificate Verisign Class 3 Public Primary Certification Authority - G5. However, a corresponding later root certificate Verisign Class 3 Public Primary Certification Authority - G5 is also available, which replaces Class 3 Public Primary Certification Authority. The later root certificate does not use a cross-signed intermediate certificate.
  • The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But the cross-signed intermediate certificate has a different Issuer name (Issued By). This difference distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such as Example Intermediate Certificate 2).

This configuration, leaving out the root certificate and the cross-signed intermediate certificate, is recommended:

  • Example Server Certificate

  • Example Intermediate Certificate

Avoid configuring the gateway to use the cross-signed intermediate certificate, because it selects the earlier root certificate:

  • Example Server Certificate

  • Example Intermediate Certificate

  • Example Cross-signed Intermediate Certificate [not recommended]

It isn’t recommended to configure the gateway with only the server certificate:

  • Example Server Certificate

In this case, if Citrix Workspace app can’t locate all the intermediate certificates, the connection fails.


We provide a script,, as part of the Citrix Workspace app installation package. The script checks whether your device meets all the system requirements in support of the functionalities of Citrix Workspace app. The script is in the Utilities directory of the installation package.

To run the script

  1. Open the terminal in your Linux machine.
  2. Type cd $ICAROOT/util and press Enter to navigate to the Utilities directory of the installation package.
  3. Type ./ to run the script.

Out-of-support applications and operating systems

Citrix does not offer support in the context of applications and operating systems that are no longer supported by their vendors.

While attempting to address and resolve a reported issue, Citrix assesses whether the issue directly relates to an out-of-support application or operating system. To help in making that determination, Citrix might ask you to attempt to reproduce an issue using the supported version of the application or operating system. If the issue seems to be related to the out-of-support application or operating system, Citrix will not investigate the issue further.

System requirements and compatibility