Prerequisites to install Citrix Workspace app

System requirements and compatibility

Supported operating systems

Citrix Workspace app for Mac supports the following operating systems:

  • macOS Catalina (10.15)
  • macOS Mojave (10.14)
  • macOS High Sierra (10.13)

Note:

macOS and Mac OS X releases prior to macOS High Sierra are not supported.

Compatible Citrix products

Citrix Workspace app for Mac is compatible with all currently supported versions of the following Citrix products. For information about the Citrix product lifecycle, and to find out when Citrix stops supporting specific versions of products, see the Citrix Product Lifecycle Matrix.

Compatible browsers

Citrix Workspace app for Mac is compatible with the following browsers:

  • Safari 7.0 and later
  • Mozilla Firefox 22.x and later
  • Google Chrome 28.x and later

Hardware requirements

  • 257.7 MB of free disk space
  • A working network or Internet connection to connect to servers

Software requirements

  • Web Interface:
    • Web Interface 5.4 for Windows with XenApp Services sites, for access to applications natively from Citrix Workspace app for Mac rather than from a web browser.
  • To deploy Citrix Workspace app for Mac:
    • Citrix Workspace for Web 2.1, 2.5 and 2.6
    • Citrix Web Interface 5.4
  • StoreFront: StoreFront 2.x or later for access to applications natively from Citrix Workspace app for Mac or from a web browser.

Connections, Certificates, and Authentication

Connections

Citrix Workspace app for Mac supports the following connections to Citrix Virtual Apps and Desktops:

  • HTTP
  • HTTPS
  • ICA-over-TLS

Citrix Workspace app for Mac supports the following configurations:

For LAN connections For secure remote or local connections
StoreFront using StoreFront services or Citrix Workspace for Web site; Web Interface 5.4 for Windows, using XenApp Services sites Citrix Citrix Gateway 10.5-12.0, including VPX; Enterprise Edition 9.x-10.x, including VPX; VPX; Citrix Secure Web Gateway 3.x (for use with Web Interface only)

Certificates

Private (Self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device to successfully access Citrix resources using Citrix Workspace app for Mac.

Note:

If the remote gateway’s certificate cannot be verified upon connection (because the root certificate is not included in the local keystore), an untrusted certificate warning appears. If a user chooses to continue through the warning, a list of applications is displayed; however, applications fail to launch.

Importing root certificates on Citrix Workspace app for Mac devices

Obtain the certificate issuer’s root certificate and email it to an account configured on your device. When clicking the attachment, you are asked to import the root certificate.

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app for Mac supports wildcard certificates.

Intermediate certificates with NetScaler Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be mapped to the NetScaler Gateway server certificate. For information on this task, see NetScaler Gateway documentation. For more information about installing and linking an intermediate certifcate with Primary CA on a NetScaler Gateway appliance, refer to the article How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway.

Joint Server Certificate Validation Policy

Citrix Workspace app for Mac has a stricter validation policy for server certificates.

Important

Before installing this version of Citrix Workspace app for Mac, confirm that the certificates at the server or gateway are correctly configured as described here. Connections may fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Workspace app for Mac now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace app for Mac releases, it then also checks that the certificates are trusted. If the certificates are not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app for Mac’s connection to fail.

Suppose a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Workspace app for Mac:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Example Root Certificate”

Then, Citrix Workspace app for Mac will check that all these certificates are valid. Citrix Workspace app for Mac will also check that it already trusts “Example Root Certificate”. If Citrix Workspace app for Mac does not trust “Example Root Certificate”, the connection fails.

Important

Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (“DigiCert”/”GTE CyberTrust Global Root”, and “DigiCert Baltimore Root”/”Baltimore CyberTrust Root”) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (“DigiCert Baltimore Root”/”Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the gateway, Citrix Workspace app for Mac connections on those user devices will fail. Consult the certificate authority’s documentation to determine which root certificate should be used. Also note that root certificates eventually expire, as do all certificates.

Note

Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

Now suppose a gateway is configured with these valid certificates. This configuration, omitting the root certificate, is normally recommended:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”

Then, Citrix Workspace app for Mac will use these two certificates. It will then search for a root certificate on the user device. If it finds one that validates correctly, and is also trusted (such as “Example Root Certificate”), the connection succeeds. Otherwise, the connection fails. Note that this configuration supplies the intermediate certificate that Citrix Workspace app for Mac needs, but also allows Citrix Workspace app for Mac to choose any valid, trusted, root certificate.

Now suppose a gateway is configured with these certificates:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Wrong Root Certificate”

A web browser may ignore the wrong root certificate. However, Citrix Workspace app for Mac will not ignore the wrong root certificate, and the connection will fail.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

  • “Example Server Certificate”
  • “Example Intermediate Certificate 1”
  • “Example Intermediate Certificate 2”

Important

Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations there is more than one root certificate, and a earlier root certificate is still in use at the same time as a later root certificate. In this case, there will be at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “VeriSign Class 3 Public Primary Certification Authority - G5”. However, a corresponding later root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority”. The later root certificate does not use a cross-signed intermediate certificate.

Note

The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To), but the cross-signed intermediate certificate has a different Issuer name (Issued By). This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such “Example Intermediate Certificate 2”).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”

Avoid configuring the gateway to use the cross-signed intermediate certificate, as it will select the earlier root certificate:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Example Cross-signed Intermediate Certificate” [not recommended]

It is not recommended to configure the gateway with only the server certificate:

  • “Example Server Certificate”

In this case, if Citrix Workspace app for Mac cannot locate all the intermediate certificates, the connection will fail.

Authentication

For connections to StoreFront, Citrix Workspace app for Mac supports the following authentication methods:

  Workspace for Web using browsers StoreFront Services site (native) StoreFront XenApp Services site (native) Citrix Gateway to Workspace for Web (browser) Citrix Gateway to StoreFront Services site (native)
Anonymous Yes Yes      
Domain Yes Yes   Yes* Yes*
Domain pass-through          
Security token       Yes* Yes*
Two-factor (domain with security token)       Yes* Yes*
SMS       Yes* Yes*
Smart card Yes Yes   Yes* Yes
User certificate       Yes Yes (Citrix Gateway Plugin)

*Available only for Workspace for Web sites and for deployments that include Citrix Gateway, with or without installing the associated plug-in on the device.

For connections to Web Interface 5.4, Citrix Workspace app for Mac supports the following authentication methods:

Note:

Web Interface uses the term Explicit to represent domain and security token authentication.

  Web Interface (browsers) Web Interface XenApp Services site Citrix Gateway to Web Interface (browser) Citrix Gateway to Web Interface XenApp Services site
Anonymous Yes      
Domain Yes Yes Yes Yes
Domain pass-through        
Security token     Yes* Yes
Two-factor (domain with security token)     Yes* Yes
SMS     Yes* Yes
Smart card Yes   Yes  
User certificate     Yes (Require Citrix Gateway Plugin) Yes (Require Citrix Gateway Plugin)

* Available only in deployments that include Citrix Gateway, with or without installing the associated plug-in on the device.