Citrix Workspace app for Mac supports smart card authentication in the following configurations:
Smart card authentication to Workspace for Web or StoreFront 3.12 and later.
Citrix Virtual Apps and Desktops 7 2203 and later.
XenApp and XenDesktop 7.15 and later.
Smart card-enabled applications, such as Microsoft Outlook and Microsoft Office that allow users to digitally sign or encrypt documents available in virtual desktop or application sessions.
Citrix Workspace app for Mac supports using multiple certificates with a single smart card or with multiple smart cards. When your user inserts a smart card into a card reader, the certificates are available to all applications running on the device, including Citrix Workspace app for Mac.
For double-hop sessions, a further connection is established between Citrix Workspace app for Mac and your user’s virtual desktop.
There are multiple usable certificates when you use a smart card to authenticate a connection. Citrix Workspace app for Mac prompts you to select a certificate. After you select a certificate, Citrix Workspace app for Mac prompts you to enter the smart card password. Once authenticated, the session launches.
If there is only one suitable certificate on the smart card, Citrix Workspace app for Mac uses that certificate and does not prompt you to select it. However, you must still enter the password associated with the smart card to authenticate the connection and to start the session.
Installing the PKCS#11 module is not mandatory. This section only applies to ICA sessions. It does not apply to Citrix Workspace access to Citrix Gateway or StoreFront where a smart card is required.
To specify the PKCS#11 module for smart card authentication:
- In Citrix Workspace app for Mac, select Preferences.
- Click Security & Privacy.
- In the Security & Privacy section, click Smart Card.
- In the PKCS#11 field, select the appropriate module. Click Other to browse to the location of the PKCS#11 module if the desired one is not listed.
- After selecting the appropriate module, click Add.
Citrix Workspace app for Mac supports most macOS-compatible smart card readers and cryptographic middleware. Citrix has validated the operation with the following.
- Common USB connect smart card readers
- ActivIdentity client version
- Charismathics client version
Supported smart cards:
- PIV cards
- Common Access Card (CAC)
- Gemalto .NET cards
Follow the instructions provided by your vendor’s macOS-compatible smart card reader and cryptographic middleware for configuring user devices.
- Certificates must be stored on a smart card, not on the user device.
- Citrix Workspace app for Mac does not save the user certificate choice.
- Citrix Workspace app for Mac does not store or save the user’s smart card PIN. OS handles the PIN acquisitions, which might have its own caching mechanism.
- Citrix Workspace app for Mac does not reconnect sessions when a smart card is inserted.
- To use VPN tunnels with smart card authentication, you must install the Citrix Gateway Plug-in and log on through a webpage. Use your smart cards and PINs to authenticate at each step. Pass-through authentication to StoreFront with the Citrix Gateway Plug-in is not available for smart card users.
Conditional Access with Azure Active Directory
This authentication method is currently not supported on Citrix Workspace app for Mac.
Citrix Workspace app sends a user agent in network requests that can be used to configure authentication policies including redirection of authentication to other Identity Providers (IdPs).
Don’t mention the version numbers while configuring the policies.
|Regular HTTP Requests – In general, a network request made by Citrix Workspace app contains a general User-Agent. For example, network requests like: GET /Citrix/Roaming/Accounts and GET / AGServices/discover contains the User-Agent:||CitrixReceiver/23.05.0.36 MacOSX/13.4.0 com.citrix.receiver.nomas X1Class CWACapable|
|Cloud Store – When a user adds a cloud store to Citrix Workspace app, network requests are made which has a specific User-Agent. For example, network requests with path /core/connect/authorize. The User-Agent sent by Citrix Workspace app is:||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Citrix Workspace/23.05.0.36 MacOSX/13.4.0 com.citrix.receiver.nomas X1Class CWACapable|
|OnPrem Store with Gateway Advanced Auth – When a user adds an on-premises store with Advanced Auth configured on Gateway to Citrix Workspace app, network requests are made which has a specific User-Agent. For example, network requests with requests containing: GET /nf/auth/doWebview.do and GET /logon/LogonPoint/tmindex.html. The User-Agent sent by Citrix Workspace app is:||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko), CWAWEBVIEW/23.05.0.36|
|Custom Web Store – When a user adds a custom web store to Citrix Workspace app, the User-Agent sent by Citrix Workspace app is:||Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Safari CWA/23.05.0.18 MacOSX/13.4.0|