Customize security and privacy policies

This article provides guidance on how to customize the sign-in experience after you’ve already configured workspace access and authentication.

For an overview on configuring workspace access and authentication, visit Configure access. For information on how to configure subscriber authentication to workspaces, visit Configure Authentication.

Workspace Session

Use the Workspace Session settings in Workspace Configuration > Customize > Preferences to choose when users need to enter their credentials and for how long users remain logged in. Once you have have updated the settings, press Save to apply them or Revert to cancel them.

Always prompt end users for their credentials

When enabled (default), Workspace forces a sign-in prompt with the identity provider when a new Workspace session is needed. For OIDC authentication, Workspace includes prompt=login in the authentication request. For SAML authentication, Workspace sends ForceAuthn=true in the authentication request.

When disabled, users might not be prompted to authenticate with the identity provider if the identity provider already has a valid session.

Inactivity timeout for web browser

Use the Inactivity timeout for web browser setting to specify the amount of idle time allowed (a maximum of 8 hours) before users are automatically signed out of Citrix Workspace. Only interactions with Workspace, such as refreshing the page or launching an app, count as activity.

Unlike manual sign-out, which disconnects DaaS sessions, users stay connected to their DaaS sessions even after timeout due to inactivity. The users are not signed out from their Identity Provider. Therefore if Always prompt end users for their credentials is off, the user might be able to log back in without entering their credentials.

See also Configuring timeouts per network connectivity type.

Inactivity timeout for Workspace app

Desktop

Use the Desktop option of Inactivity timeout for Workspace app setting to specify the amount of idle time allowed (a maximum of 24 hours) before users are automatically signed out of Citrix Workspace app for Windows, Mac and Linux. Any interaction with the mouse or keyboard counts as activity and extends the timeout.

Unlike manual sign-out, which disconnects DaaS sessions, subscribers stay connected to their DaaS sessions even after timeout due to inactivity.

You can modify the setting using the PowerShell module. Use the Set-WorkspaceCustomConfiguration cmdlet with parameter InactivityTimeoutInMinutes.

See also Configuring timeouts per network connectivity type.

Mobile

Use the Mobile option of Inactivity timeout for Workspace app setting to specify the amount of idle time allowed (a maximum of 24 hours) before Citrix Workspace app is locked. This applies to Citrix Workspace app for iOS and Android. Once locked, users must use biometrics or their device PIN to unlock Citrix Workspace app. If biometrics is not enabled on the device then the user is instead logged out.

You can modify the setting using the PowerShell module. Use the Set-WorkspaceCustomConfiguration cmdlet with parameter InactivityTimeoutInMinutesMobile.

See also Configuring timeouts per network connectivity type.

Configuring timeouts per network connectivity type

You can configure the web, desktop and mobile timeouts differently according to whether the user is on your internal network, a known external network or anywhere else. For instance you could configure shorter timeouts for devices connected to your internal network.

To configure the timeout for a network connectivity type:

1. Ensure that Adaptive Access is enabled.
2. Define Network locations representing your internal locations and external known locations, based on the user’s public IP address. If the user’s IP address does not match a network location then its network connectivity type is considered to be undefined.
3. From the Citrix Workspace PowerShell module, call Set-StoreClientLocationConfiguration cmdlet with the Internal, External or Undefined parameters. the parameter value must be a hashtable with keys inactivityTimeoutInMinutesWeb, inactivityTimeoutInMinutesDesktop or inactivityTimeoutInMinutesMobile, and values giving the time in minutes.

If you do not configure a specific timeout for the network connectivity type then the non-location-specific timeout is used instead.

Important:

If the user device moves to a network with a different connectivity type then the new timeouts does not apply immediately. Citrix Workspace app updates the timeouts ever 90 minutes. If using a web browser, the timeouts update the next time the user refreshes the web page.

Stay logged in to Workspace app

Use the Stay logged in to Workspace app settings to specify the length of time users can stay signed in to Citrix Workspace app before needing to sign in again. These settings do not apply to web browsers.

The Authentication period defines the maximum time before users must reauthenticate. By default this is set to 30 days but you can configure a value between 1 and 365 days. If the period is greater then 1 day then when the user authentications they must provide consent to stay signed in.

The Inactivity period defines how long a user can be inactive before they must reauthenticate. By default this is 4 days but you can configure it to a value between 1 day and the Reauthenticaiton Period. If a user is inactive for more than this value, they are prompted to reauthenticate the next time that they attempt to access their workspace. To set an inactivity period of less than 24 hours on desktop, use the Desktop option of Inactivity timeout for Workspace app setting.

You can invalidate the session for your subscribers by downloading this PowerShell script and following the instructions included in the download. Once you’ve invalidated sessions, subscribers must reauthenticate to their workspaces in the next 24 hours.

Supported Workspace app clients

The following versions of Citrix Workspace app support this feature:

• Workspace app 2106 for Windows or later
• Workspace app 2106 for Mac or later
• Workspace app for 21.6.5 iOS or later
• Workspace app for 21.6.0 Android or later

Supported authentication methods

Staying signed in to Citrix Workspace app is supported for the following authentication methods:

• Active Directory
• Active Directory plus token
• Entra ID
• Citrix Gateway
• Okta

Note:

For the same experience as a Citrix DaaS customer using Okta or Azure Active Directory, configure the Citrix Federated Authentication Service (FAS). For more information about FAS, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.

Subscriber experience for staying signed in

When subscribers sign in to Workspace on their device, Workspace prompts them to consent to staying signed in.

When the subscriber selects the Allow option, they stay signed in during the reauthentication period. If no activity is detected on a subscriber’s device for the configured number of days, the subscriber is automatically prompted to reauthenticate. After they sign in to the Citrix Workspace app, the reauthentication period remains in effect as long as they’re using their apps and desktops on the device.

If the subscriber selects Deny, the user might be prompted to sign in for a second time. Afterward, Workspace prompts the subscriber to sign in again after 24 hours have passed.

If the subscriber’s password changes, the subscriber must sign out and sign in again through Citrix Workspace app for the reauthentication period to continue to work.

Allow end users to change their account password

If you are using Active Directory or Active Directory (AD) plus token authentication then you can choose whether users can change their password. When enabled (default), users can change their password at any time, based on your organization’s Active Directory settings. If disabled, Workspace prompts subscribers to change their password when it expires, but they can’t change their unexpired password within Citrix Workspace. To configure this:

1. Navigate to Workspace Configuration > Customize > Preferences.
2. Go to section Allow Account Password to be Changed.

3. Toggle Enabled.

   

4. Press Save to save any changes.

You can add up to 20 password requirements to meet your organization’s security policy and that your identity provider enforces. Workspace displays these requirements as a guide when subscribers change their password from their Account Settings page in Workspace. If you don’t add any password requirements, Workspace displays the message “Your organization’s password requirements still apply.”

To add password requirements:

1. If there are currently no password requirements, select Add password requirement. If there is already at least one password requirement then select Edit.

2. Enter a requirement that matches your organization’s security requirements for valid passwords. For example, you can specify that a password must be a certain character length. Select Add a password requirement to add more items for subscribers when they change their password.

   

3. When you’re finished adding requirements, select Save. You can expand the list of requirements:

   

4. Select Save again to save all your setting changes.

Supported Citrix Workspace app clients

The following versions of Citrix Workspace app support this feature:

• Citrix Workspace app for Windows 2101 or later
• Citrix Workspace app for Mac 2012 or later
• Citrix Workspace app for Chrome 2010 or later
• Citrix Workspace app for HTML5 2101 or later
• Citrix Workspace app for Android 21.1.0 or later

Subscribers can also use this feature when accessing workspaces from a web browsers.

This feature isn’t supported on the following:

• Older versions of Citrix Workspace app
• Citrix Workspace app for Linux

End user experience when changing passwords

Tip:

To increase awareness of this feature with your subscribers, consider including a recommendation in your internal knowledgebase for subscribers to change their domain passwords through Workspace. Download pdf file for instructions you can include in your own communications and knowledge base articles.

When Allow Account Password to be Changed is enabled, end users can change their password in Workspace by going to Account Settings > Security & Sign in.

Select View Password Requirements to display all the requirements you entered in Workspace Configuration.

Users are automatically logged out after changing their password and must sign in again with their new password.

Send custom announcements

You can send a custom announcement to your users during a given time period, for instance to inform them of an upcoming maintenance window. You can configure a default announcement along with an override for each Workspace. Only a single announcement can be configured per Workspace.

Add announcement

1. Navigate to Workspace Configuration > Customize > Preferences > Send custom announcements.
2. To add an announcement that applies to workspaces where there is no active override, select Add default notification. To add an announcement for a specific workspace, select Add override notification.
3. If you added an override announcement, choose which workspaces it applies to. This is not applicable to the default announcement.
4. Enter the Announcement title.
5. Enter the Description text.
6. Enter the time period during which the announcement should appear.
7. Choose whether to place the announcement at the top or bottom.
8. To view how your message appears to users, select Preview.
9. When you’re finished, select Save.

Delete announcement

1. In the row containing the announcement, select … to open the menu then select Delete.
2. In the confirmation window, select Delete.

Edit announcement

1. In the row containing the announcement, select … to open the menu then select Edit.
2. Make changes as required.
3. Select Save.

Configure a custom dialog to be displayed before log in

Create a custom dialog that is displayed before users log in. It is displayed on all clients including web, desktop and mobile devices. You can use it to display information such as log in instructions, company usage policy, or an upcoming maintenance window. Users must accept the dialog before proceeding to the log in screen.

1. From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences.
2. Navigate to the Log in dialog section.

3. If not enabled, select the toggle labelled Before log in. If it is already enabled, click the Edit button.

   

4. A configuration dialog will appear.
5. Enter the Title for the dialog.
6. Enter the Description to be displayed in the dialog. It is not possible to localize the text, however you can append multiple different languages within the description.

7. Enter the Button text. The users must press this button to proceed.

   

8. Select Preview to see what the dialog looks like for end users.
9. When you’re finished, select Save.

Note

If you have Citrix Gateway configured as your Workspace identity provider, you might already have a log in policy as part of your AAA and nFactor authentication flow. Citrix recommends that you configure only one log in policy, either as part of your existing nFactor authentication flow or outside the flow using the Citrix Cloud administration console.

Configure a custom dialog to be displayed after log in

You can configure a custom dialog that is displayed after users log in. It is displayed on all clients including web, desktop and mobile devices. You can use it to display information such as log in instructions, company usage policy, or an upcoming maintenance window. Users must accept the dialog before proceeding to their resources.

The admin can decide how often the dialog is shown on a per-device basis i.e. only once, every day, every 7 days or every 30 days. (Note: the user clearing caches/cookies will cause the dialog to appear again.)

1. From the Citrix Cloud menu, select Workspace Configuration > Customize > Preferences.
2. Navigate to the Log in dialog section.
3. If not enabled, select the toggle labelled After log in to enable. If it is already enabled, click the Edit button.

1. A configuration dialog will appear.
2. Enter the Title for the dialog.
3. Enter the Description to be displayed in the dialog. It is not possible to localize the text, however you can append multiple different languages within the description.
4. Enter the Button text. The users must press this button to proceed.

5. Enter a choice for display frequency for how often each user see the dialog.

   

6. Select Preview to see what the dialog looks like for end users.
7. When you’re finished, select Save.