Citrix Workspace™

Workspace Sessions

Use the Workspace Session settings to choose when users need to enter their credentials and for how long users remain logged in. To configure these settings:

  1. From the Citrix Cloud menu, choose Workspace Configuration.
  2. From the Customize menu, choose Preferences.
  3. Go to the Workspace Sessions section.
  4. Update the settings.
  5. Press Save to apply them or Revert to cancel them.

Some settings can be configured differently according to the network location connectivity type. This requires using PowerShell modules. For more information, see Configure settings per network connectivity type.

Always prompt end users for their credentials

Screenshot of setting always prompt users for credentials

When enabled (default), Workspace forces a sign-in prompt with the identity provider when a new Workspace session is needed. For OIDC authentication, Workspace includes prompt=login in the authentication request. For SAML authentication, Workspace sends ForceAuthn=true in the authentication request.

When disabled, users might not be prompted to authenticate with the identity provider if the identity provider already has a valid session.

Inactivity timeout for web browser

Use the Inactivity timeout for web browser setting to specify the amount of idle time allowed (a maximum of 8 hours) before users are automatically signed out of Citrix Workspace. Only interactions with Workspace, such as refreshing the page or launching an app, count as activity.

Screenshot Workspace session timeout for web setting

Unlike manual sign-out, which disconnects DaaS sessions, users stay connected to their DaaS sessions even after timeout due to inactivity. The users are not signed out from their Identity Provider. Therefore if Always prompt end users for their credentials is off, the user might be able to log back in without entering their credentials.

See also Configuring settings per network connectivity type.

Inactivity timeout for Workspace app

Inactivity timeout for Workspace app setting

Desktop

Use the Desktop option of Inactivity timeout for Workspace app setting to specify the amount of idle time allowed (a maximum of 24 hours) before users are automatically signed out of Citrix Workspace app for Windows, Mac and Linux. Any interaction with the mouse or keyboard counts as activity and extends the timeout.

Unlike manual sign-out, which disconnects DaaS sessions, subscribers stay connected to their DaaS sessions even after timeout due to inactivity.

You can modify the setting using the PowerShell module. Use the Set-WorkspaceCustomConfiguration cmdlet with parameter InactivityTimeoutInMinutes.

See also Configure settings per network connectivity type.

Mobile

Use the Mobile option of Inactivity timeout for Workspace app setting to specify the amount of idle time allowed (a maximum of 24 hours) before Citrix Workspace app is locked. This applies to Citrix Workspace app for iOS and Android. Once locked, users must use biometrics or their device PIN to unlock Citrix Workspace app. If biometrics is not enabled on the device then the user is instead logged out.

You can modify the setting using the PowerShell module. Use the Set-WorkspaceCustomConfiguration cmdlet with parameter InactivityTimeoutInMinutesMobile.

See also Configure settings per network connectivity type.

Stay logged in to Workspace app

Use the Stay logged in to Workspace app settings to specify the length of time users can stay signed in to Citrix Workspace app before needing to sign in again. These settings do not apply to web browsers.

Stay logged in to Workspace app period settings

The Authentication period defines the maximum time before users must reauthenticate. By default this is set to 30 days but you can configure a value between 1 and 365 days.

If the period is greater then 1 day then by default when a user authenticates they are prompted for consent to sign in. For more information, see user experience. To avoid this prompt, an admin can consent on behalf of the user.

The Inactivity period defines how long a user can be inactive before they must reauthenticate. By default this is 4 days but you can configure it to a value between 1 day and the Reauthenticaiton Period. If a user is inactive for more than this value, they are prompted to reauthenticate the next time that they attempt to access their workspace. To set an inactivity period of less than 24 hours on desktop, use the Desktop option of Inactivity timeout for Workspace app setting.

You can invalidate the session for your end users by downloading this PowerShell script and following the instructions included in the download. Once you’ve invalidated sessions, subscribers must reauthenticate to their workspaces in the next 24 hours.

Supported Workspace app clients

The following versions of Citrix Workspace app support this feature:

  • Workspace app 2106 for Windows or later
  • Workspace app 2106 for Mac or later
  • Workspace app for 21.6.5 iOS or later
  • Workspace app for 21.6.0 Android or later

Supported authentication methods

Staying signed in to Citrix Workspace app is supported for the following authentication methods:

  • Active Directory
  • Active Directory plus token
  • Entra ID
  • Citrix Gateway
  • Okta

Note:

For the same experience as a Citrix DaaS customer using Okta or Azure Active Directory, configure the Citrix Federated Authentication Service (FAS). For more information about FAS, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.

Permission to stay signed in config (Admin Consent)

Normally when the re-authentication period is set to more than a day, when a user logs in from Citrix Workspace app, they are prompted for permission to “Stay signed in”. This allows the Citrix Workspace app to use a refresh token to obtain new access tokens when the existing ones expire. The user must accept the permission to continue. If the user rejects the permission then they are returned to the log in screen. You can consent on behalf of the user which removes the prompt. To enable this option, navigate to Workspace Configuration > Customize > Preferences. Under the section Workspace sessions, select Give consent on behalf of end users to stay signed in…

User experience for staying signed in

Configure settings per network connectivity type

You can configure the web, desktop and mobile timeouts, along with Always prompt end users for their credentials, differently according to whether the user is on your internal network, a known external network or anywhere else. For instance you could configure shorter timeouts for devices connected to your internal network.

View existing configuration

To view existing configuration using the Citrix Workspace PowerShell module, call Get-StoreClientLocationConfiguration cmdlet. For example:

$ConnectivityTimeouts = Get-StoreClientLocationConfiguration -StoreUrl "https://customer.cloud.com" `
                                                             -ClientId 'myclientid' `
                                                             -ClientSecret 'mysecret'
$ConnectivityTimeouts.external
$ConnectivityTimeouts.internal
$ConnectivityTimeouts.undefined
<!--NeedCopy-->

Update configuration

To configure the setting for a network connectivity type:

  1. Ensure that Adaptive Access is enabled.
  2. Define Network locations representing your internal locations and external known locations, based on the user’s public IP address. If the user’s IP address does not match a network location then its network connectivity type is considered to be undefined.
  3. From the Citrix Workspace PowerShell module, call Set-StoreClientLocationConfiguration cmdlet with the Internal, External or Undefined parameters. The parameter value must be a hashtable with keys inactivityTimeoutInMinutesWeb, inactivityTimeoutInMinutesDesktop, inactivityTimeoutInMinutesMobile and promptLoginEnabled.

For example to so set overrides for each location, run:

$InternalHashTable = @{promptLoginEnabled=$false;
                       inactivityTimeoutInMinutesWeb='60';
                       inactivityTimeoutInMinutesDesktop='60';
                       inactivityTimeoutInMinutesMobile='120'}
$ExternalHashTable = @{promptLoginEnabled=$true;
                       inactivityTimeoutInMinutesWeb='60';
                       inactivityTimeoutInMinutesDesktop='60';
                       inactivityTimeoutInMinutesMobile='120'}
$UndefinedHashTable = @{promptLoginEnabled=$true;
                       inactivityTimeoutInMinutesWeb='20';
                       inactivityTimeoutInMinutesDesktop='20';
                       inactivityTimeoutInMinutesMobile='20'}

Set-StoreClientLocationConfiguration -StoreUrl "https://customer.cloud.com" `
                                     -ClientId 'myclientid' `
                                     -ClientSecret 'mysecret' `
                                     -Internal $InternalHashTable `
                                     -External $ExternalHashTable `
                                     -Undefined $UndefinedHashTable
<!--NeedCopy-->

If you do not configure a specific timeout for the network connectivity type then the non-location-specific timeout is used instead.

To remove overrides, set the Internal, External or Undefined parameter to null. For example:

Set-StoreClientLocationConfiguration -StoreUrl "https://customer.cloud.com" `
                                     -ClientId 'myclientid' `
                                     -ClientSecret 'mysecret' `
                                     -Internal $NULL `
                                     -External $NULL `
                                     -Undefined $NULL
<!--NeedCopy-->

Important:

If the user device moves to a network with a different connectivity type then the new values do not apply immediately. Citrix Workspace app updates the values every 90 minutes. If using a web browser, the values update the next time the user refreshes the web page.

Workspace Sessions