Customize security and privacy policies
This article provides guidance on how to customize the sign-in experience after you’ve already configured workspace access and authentication.
For an overview on configuring workspace access and authentication, visit Configure access. For information on how to configure subscriber authentication to workspaces, visit Configure Authentication.
Workspace Session
Use the Workspace Session settings in Workspace Configuration > Customize > Preferences to choose when users need to enter their credentials and for how long users remain logged in. Once you have have updated the settings, press Save to apply them or Revert to cancel them.
Federated identity provider sessions
When enabled (default), Workspace forces a sign-in prompt with the identity provider when a new Workspace session is needed. For OIDC authentication, Workspace includes prompt=login
in the authentication request. For SAML authentication, Workspace sends ForceAuthn=true
in the authentication request.
When disabled, users might not be prompted to authenticate with the identity provider if the identity provider already has a valid session.
Inactivity timeout for web
Use the Inactivity Timeout for Web setting to specify the amount of idle time allowed (a maximum of 8 hours) before web users are automatically signed out of Citrix Workspace. Only interactions with Workspace, such as refreshing the page or launching an app, count as activity.
Unlike manual sign-out, which disconnects DaaS sessions, users stay connected to their DaaS sessions even after timeout due to inactivity. The users are not signed out from their Identity Provider. Therefore if Federated identity provider sessions is off, the user might be able to log back in without entering their credentials.
Inactivity timeout for Workspace app on desktop
Use the Inactivity Timeout for Workspace App - Desktop setting to specify the amount of idle time allowed (a maximum of 24 hours) before web users are automatically signed out of Citrix Workspace app for Windows, Mac and Linux. Any interaction with the mouse or keyboard counts as activity and extends the timeout.
Unlike manual sign-out, which disconnects DaaS sessions, subscribers stay connected to their DaaS sessions even after timeout due to inactivity.
You can modify the setting using the PowerShell API. Use the Set-WorkspaceCustomConfiguration
cmdlet with parameter InactivityTimeoutInMinutes
.
Inactivity timeout for Workspace app on mobile
Use the Inactivity Timeout for Workspace App - Mobile setting to specify the amount of idle time allowed (a maximum of 24 hours) before Citrix Workspace app is locked. This applies to Citrix Workspace app for iOS and Android. Once locked, users must use biometrics or their device PIN to unlock Citrix Workspace app.
You can modify the setting using the PowerShell API. Use the Set-WorkspaceCustomConfiguration
cmdlet with parameter InactivityTimeoutInMinutesMobile
.
Set Authentication Period for Citrix Workspace app
Use the Authentication Period for Citrix Workspace app settings to specify the length of time users can stay signed in to Citrix Workspace app before needing to sign in again. These settings do not apply to web browsers.
The Reauthentication Period defines the maximum time before users must reauthenticate. By default this is set to 30 days but you can configure a value between 1 and 365 days. If the period is greater then 1 day then when the user authentications they must provide consent to stay signed in.
The Inactivity Period defines how long a user can be inactive before they must reauthenticate. By default this is 4 days but you can configure it to a value between 1 day and the Reauthenticaiton Period. If a user is inactive for more than this value, they are prompted to reauthenticate the next time that they attempt to access their workspace. To set an inactivity period of less than 24 hours on desktop, use the Inactivity Timeout for Workspace App on Desktop setting.
You can invalidate the session for your subscribers by downloading this PowerShell script and following the instructions included in the download. Once you’ve invalidated sessions, subscribers must reauthenticate to their workspaces in the next 24 hours.
Supported Workspace app clients
The following versions of Citrix Workspace app support this feature:
- Workspace app 2106 for Windows or later
- Workspace app 2106 for Mac or later
- Workspace app for 21.6.5 iOS or later
- Workspace app for 21.6.0 Android or later
Supported authentication methods
Staying signed in to Citrix Workspace app is supported for the following authentication methods:
- Active Directory
- Active Directory plus token
- Entra ID
- Citrix Gateway
- Okta
Note:
For the same experience as a Citrix DaaS customer using Okta or Azure Active Directory, configure the Citrix Federated Authentication Service (FAS). For more information about FAS, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.
Subscriber experience for staying signed in
When subscribers sign in to Workspace on their device, Workspace prompts them to consent to staying signed in.
When the subscriber selects the Allow option, they stay signed in during the reauthentication period. If no activity is detected on a subscriber’s device for the configured number of days, the subscriber is automatically prompted to reauthenticate. After they sign in to the Citrix Workspace app, the reauthentication period remains in effect as long as they’re using their apps and desktops on the device.
If the subscriber selects Deny, the user might be prompted to sign in for a second time. Afterward, Workspace prompts the subscriber to sign in again after 24 hours have passed.
If the subscriber’s password changes, the subscriber must sign out and sign in again through Citrix Workspace app for the reauthentication period to continue to work.
Allow subscribers to change their account password
The Allow Account Password to be Changed setting in Workspace Configuration > Customize > Preferences controls whether subscribers can change their domain password from within Citrix Workspace. You can also provide guidance to subscribers so that they can create valid passwords in line with your organization’s password policy.
When enabled (default), subscribers can change their password at any time, based on your organization’s Active Directory settings. If disabled, Workspace prompts subscribers to change their password when it expires, but they can’t change their unexpired password within Workspace.
Supported authentication methods
- Active Directory
- Active Directory plus token
Supported Workspace app clients
The following versions of Citrix Workspace app support this feature:
- Workspace app for Windows 2101 or later
- Workspace app for Mac 2012 or later
- Workspace app for Chrome 2010 or later
- Workspace app for HTML5 2101 or later
- Workspace app for Android 21.1.0 or later
Subscribers can also use this feature when accessing workspaces from a web browsers.
This feature isn’t supported on the following:
- Older versions of Citrix Workspace app
- Citrix Workspace app for Linux
Password guidance
You can add up to 20 password requirements to meet your organization’s security policy and that your identity provider enforces. Workspace displays these requirements as a guide when subscribers change their password from their Account Settings page in Workspace. If you don’t add any password requirements, Workspace displays the message “Your organization’s password requirements still apply.”
Important:
Citrix Workspace doesn’t validate new passwords that your subscribers enter. If a subscriber tries to change their valid password to an invalid one through Workspace, your identity provider rejects the new password. The existing password isn’t changed.
To add password requirements:
- Navigate to Workspace Configuration > Customize > Preferences.
- Under Allow Account Password to be Changed, check that the setting is in the enabled state. If disabled, enable the setting.
-
Select Add a password requirement.
-
Enter a requirement that matches your organization’s security requirements for valid passwords. For example, you can specify that a password must be a certain character length. Select Add a password requirement to add more items for subscribers when they change their password.
- When you’re finished adding requirements, select Save.
-
Select Save again to save all your setting changes.
Subscriber experience when changing passwords
Tip:
To increase awareness of this feature with your subscribers, consider including a recommendation in your internal knowledgebase for subscribers to change their domain passwords through Workspace. Download pdf file for instructions you can include in your own communications and knowledgebase articles.
When Allow Account Password to be Changed is enabled, subscribers can change their password in Workspace by going to Account Settings > Security & Sign in.
Select View Password Requirements to display all the requirements you entered in Workspace Configuration.
Subscribers are automatically signed out of Workspace after changing their password and must sign in again with their new password.
Send custom announcements
Send a custom announcement to display a time-limited message of your choosing, such as an upcoming maintenance window.
The custom announcement is displayed for all subscribers in all clients including web and mobile devices. Subscribers see the message after they sign in. Subscribers can’t dismiss this announcement, but they can minimize it on their mobile device.
- From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences > Send custom announcement > Configure.
- Enter the title and text of the message that you want to display, and select the dates, times, and placement (top or bottom) for displaying the message to subscribers.
- To view how your message appears to subscribers, select Preview.
- When you’re finished, select Save.
Configure a sign-in policy
Create a custom sign-in policy to inform subscribers of your organization’s End-User License Agreement (EULA) when they sign in to their workspace.
When enabled and configured, the sign-in policy is displayed in all clients including web and mobile devices. Subscribers can see the sign-in policy when they sign in. Subscribers can’t bypass the policy and must accept it to sign in to their workspace.
- From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences.
- In the Sign in policy section, select Configure. If a policy exists, the button reads Edit, instead.
- Enable the feature using the toggle under Enable policy.
- In Policy header, enter a title for the policy.
- Enter the policy text that subscribers must agree to before signing in. If needed, add localized text for other languages in the same text box.
-
Enter a name for the button that subscribers must select to agree to the policy.
- Select Preview to see what the policy looks like for subscribers.
- When you’re finished, select Save.
Note
If you have Citrix Gateway configured as your Workspace identity provider, you might already have a sign-in policy as part of your AAA and nFactor authentication flow. Citrix recommends that you configure only one sign-in policy, either as part of your existing nFactor authentication flow or outside the flow using the Citrix Cloud administration console.