Customize security and privacy policies

This article provides guidance on how to customize the sign-in experience after you’ve already configured workspace access and authentication.

For an overview of the steps involved in configuring workspace access and authentication, visit Configure access. For information on how to configure subscriber authentication to workspaces, visit Secure workspaces.

Create a unified user sign-in flow

If you have Citrix Content Collaboration configured, you can create both employee and client users for when employees frequently share content with users that are outside your organization. For more information on creating employee and client users for Citrix Content Collaboration, visit People settings

The default sign-in experience is a split screen for employee users and client (external) users.

Sign-in page

To remove the split screen, navigate to Workspace Configuration > Authentication > Unified user sign in flow and select Enable. Enabling this feature presents all users with the same sign-in option.

Sign In page

Set inactivity timeout for Web

Use the Inactivity Timeout for Web setting in Workspace Configuration > Customize > Preferences to specify the amount of idle time allowed (maximum of 8 hours) before subscribers are automatically signed out of Citrix Workspace. This setting applies to browser access only, and doesn’t apply to access from a locally installed Citrix Workspace app.

Workspace session timeout settings

Unlike manual sign-out, which disconnects DaaS sessions, subscribers stay connected to their DaaS sessions following timeout due to inactivity.

Set a reauthentication period for Citrix Workspace app

Use the Reauthentication period for Workspace app setting in Workspace Configuration > Customize > Preferences to specify the length of time subscribers can stay signed in to Citrix Workspace app before needing to sign in again.

Reauthentication period setting

By default, this setting requires subscribers to sign in every 24 hours (one day). You can specify a longer reauthentication period of up to 365 days. Longer reauthentication periods require subscriber consent to stay signed in. Users provisioned after September 27, 2021, a period of 30 days is required for subscribers to sign in again.

During the reauthentication period that you set, subscribers stay signed in unless they’re inactive for 4 or more days at a time. If a subscriber is inactive for 4 or more days, they’re prompted to reauthenticate the next time that they attempt to access their workspace.

You can invalidate the session for your subscribers by downloading this PowerShell script and following the instructions included in the download. Once you’ve invalidated sessions, subscribers must reauthenticate to their workspaces in the next 24 hours.

If you need to set the reauthentication period for Citrix Workspace app to less than 24 hours, you can do so via PowerShell. For more information, see Steps to configure InactivityTimeoutInMinutes.

Supported Workspace app clients

The following versions of Citrix Workspace app support this feature:

  • Workspace app 2106 for Windows or later
  • Workspace app 2106 for Mac or later
  • Workspace app for 21.6.5 iOS or later
  • Workspace app for 21.6.0 Android or later

Supported authentication methods

Staying signed in to Citrix Workspace app is supported for the following authentication methods:

  • Active Directory
  • Active Directory plus token
  • Azure Active Directory
  • Citrix Gateway
  • Okta

Note:

For the same experience as a Citrix DaaS customer using Okta or Azure Active Directory, configure the Citrix Federated Authentication Service (FAS). For more information about FAS, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.

Subscriber experience for staying signed in

When subscribers sign in to Workspace on their device, Workspace prompts them to consent to staying signed in.

Stay signed in dialog

When the subscriber selects Allow, they stay signed in during the reauthentication period. If no activity is detected on a subscriber’s device for four days, the subscriber is automatically prompted to reauthenticate. After they sign in to the Citrix Workspace app, the reauthentication period remains in effect as long as they’re using their apps and desktops on the device.

If the subscriber selects Deny, Workspace prompts the subscriber to sign in again. Afterward, Workspace prompts the subscriber to sign in again after 24 hours have passed.

If the subscriber’s password changes, the subscriber must sign out and sign in again through Citrix Workspace app for the reauthentication period to continue to work.

Allow subscribers to change their account password

Note:

This feature is being rolled out to customers incrementally. You might not see the feature until the rollout process is complete.

Citrix aims to deliver new features and product updates to Citrix Workspace customers when they’re available. This process is transparent to you. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally helps ensure product quality and maximize availability.

The Allow Account Password to be Changed setting in Workspace Configuration > Customize > Preferences controls whether subscribers can change their domain password from within Citrix Workspace. You can also provide guidance to subscribers so that they can create valid passwords in line with your organization’s password policy.

When enabled (default), subscribers can change their password at any time, based on your organization’s Active Directory settings. If disabled, Workspace prompts subscribers to change their password when it expires, but they can’t change their unexpired password within Workspace.

Supported authentication methods

  • Active Directory
  • Active Directory plus token

Supported Workspace app clients

The following versions of Citrix Workspace app support this feature:

  • Workspace app for Windows 2101 or later
  • Workspace app for Mac 2012 or later
  • Workspace app for Chrome 2010 or later
  • Workspace app for HTML5 2101 or later
  • Workspace app for Android 21.1.0 or later

Subscribers can also use this feature when accessing workspaces with the latest version of Edge, Chrome, Firefox, or Safari web browsers.

This feature isn’t supported on older versions of Citrix Workspace app and Citrix Workspace app for Linux.

Password guidance

You can add up to 20 password requirements to meet your organization’s security policy and that your identity provider enforces. Workspace displays these requirements as a guide when subscribers change their password from their Account Settings page in Workspace. If you don’t add any password requirements, Workspace displays the message “Your organization’s password requirements still apply.”

Important:

Citrix Workspace doesn’t validate new passwords that your subscribers enter. If a subscriber tries to change their valid password to an invalid one through Workspace, your identity provider rejects the new password. The existing password isn’t changed.

To add password requirements:

  1. Navigate to Workspace Configuration > Customize > Preferences.
  2. Under Allow Account Password to be Changed, check that the setting is enabled. If disabled, enable the setting.
  3. Select Add a password requirement.

    Allow Account Password to be Changed setting in enabled state

  4. Enter a requirement that matches your organization’s security requirements for valid passwords. For example, you can specify that a password must be a certain character length. Select Add a password requirement to add more items for subscribers when they change their password.

    Add a password requirement form

  5. When you’re finished adding requirements, select Save.
  6. Select Save again to save all your setting changes.

    Allow Account Password to be Changed setting with password requirements

Subscriber experience when changing passwords

Tip:

To increase awareness of this feature with your subscribers, consider including a recommendation in your internal knowledgebase for subscribers to change their domain passwords through Workspace. Download this PDF file for instructions you can include in your own communications and knowledgebase articles.

When Allow Account Password to be Changed is enabled, subscribers can change their password in Workspace by going to Account Settings > Security & Sign in.

Select View Password Requirements to display all the requirements you entered in Workspace Configuration.

Change password section with displayed requirements highlighted

Subscribers are automatically signed out of Workspace after changing their password and must sign in again with their new password.

Configure custom banners

Configure a custom banner to display a time-limited message of your choosing, such as an upcoming maintenance window.

The custom banner is displayed for all subscribers in all clients including web and mobile devices. Subscribers see the banner after they sign in. Subscribers can’t dismiss this banner, but they can collapse it on their mobile device.

  1. From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences > Custom banner > Configure.
  2. Enter the title and text of the message you want to display, and select the dates and times for displaying the banner to subscribers.
  3. To view how your banner will appear to subscribers, select Preview.
  4. When you’re finished, select Save.

Configure a sign-in policy

Create a custom sign-in policy to inform subscribers of your organization’s End-User License Agreement (EULA) when they sign in to their workspace.

When enabled and configured, the sign-in policy is displayed in all clients including web and mobile devices. Subscribers can see the sign-in policy when they sign in. Subscribers can’t bypass the policy and must accept it to sign in to their workspace.

  1. From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences.
  2. In the Sign in policy section, select Configure. If a policy exists, the button reads Edit, instead.
  3. Enable the feature using the toggle under Enable policy.
  4. In Policy header, enter a title for the policy.
  5. Enter the policy text that subscribers must agree to before signing in. If needed, add localized text for other languages in the same text box.
  6. Enter a name for the button that subscribers must select to agree to the policy.

    Sign in policy configuration page

  7. Select Preview to see what the policy looks like for subscribers.
  8. When you’re finished, select Save.

Note

If you have Citrix Gateway configured as your Workspace identity provider, you might already have a sign-in policy as part of your AAA and nFactor authentication flow. Citrix recommends that you configure only one sign-in policy, either as part of your existing nFactor authentication flow or outside the flow using the Citrix Cloud administration console.

Customize security and privacy policies