Manage Citrix Endpoint Analysis client for Device Posture service
Citrix Device Posture service is a cloud-based solution that helps admins to enforce certain requirements that the end devices must meet to gain access to Citrix DaaS (virtual apps and desktops) or Citrix Secure Private Access resources (SaaS, Web apps, TCP, and UDP apps).
To run device posture scans on an end device, you must install the Citrix EndPoint Analysis (EPA) client, which is a lightweight application, on that device. Device Posture service always runs with the latest version of the EPA client released by Citrix.
Installation of the EPA client
During runtime, the Device Posture service prompts the end user to download and install the EPA client during run-time. For details, see End-user flow. Usually, an EPA client does not require local admin rights to download and install on an endpoint. However, to run device certificate check scans on an end device, the EPA client must be installed with administrator access. For details about installing EPA client with administrator access, see Install device certificate on the end device.
Upgrade of the EPA client for Windows
When a new version of the EPA client is released, the EPA clients for Windows are upgraded by default after the first installation. Auto-upgrade ensures that the end-user devices are always running on the latest version of the EPA client that is compatible with the Device Posture service. For the auto-upgrade, the EPA client must have been installed with administrator access.
Auto-upgrade is currently in preview. Sign up for the preview using https://podio.com/webforms/29214695/2384946.
Distribution of the EPA client
EPA clients can be distributed using Global App Configuration service (GACS) or EPA integrated with Citrix Workspace app installer, or using software deployment tools.
EPA client integrated with Citrix Workspace app (Preview): EPA client is also integrated with Citrix Workspace app. This integration eliminates the need for the end users to install EPA client after installing Citrix Workspace app.
If an end device already has an EPA client installed and the end user installs Citrix Workspace app, the integrated EPA client is not installed on that device. The existing EPA client is used for device posture checks.
Similarly, if the end user uninstalls Citrix Workspace app, then the integrated EPA client is also removed from the device, by default. However, if the EPA client was not installed as part of the integrated Citrix Workspace app installation, then the existing EPA client is retained in the device.
- EPA client integration with Citrix Workspace app is supported only on Windows platform and is under preview. Sign up for the preview using https://podio.com/webforms/29219973/2385708.
- Distribute the client using GACS: GACS is a Citrix provided solution to manage the distribution of client-side agents (plug-ins). The Auto update service available in GACS ensures that the end devices are on the latest EPA versions without end user intervention. For more information on GACS, see How to use the Global App Configuration service?.
- GACS is supported on Windows devices only for distributing the EPA client.
- To manage an EPA client through GACS, install Citrix Workspace Application (CWA) on the end devices.
- If CWA is installed with administrator privileges on an end user device, then GACS installs the EPA client with the same administrator privileges.
- If CWA is installed with user privileges on an end user device, then GACS installs the EPA client with the same user privileges.
Distribute the client using Software deployment tools: The latest EPA client can be distributed by admins through software deployment tools like Microsoft SCCM.
Manage EPA client when used with NetScaler and Device Posture
The EPA client can be used together with NetScaler and Device Posture in the following deployments:
- NetScaler based Adaptive Authentication with EPA
- NetScaler based on-prem gateway with EPA
The Device Posture service pushes the latest version of the EPA client to the end devices. However, on NetScaler, administrators can configure the following version control for the EPA scans on gateway virtual servers:
- Always: The EPA client on the end device and NetScaler must be on the same version.
- Essential: The EPA client version on the end device must be within the range configured on NetScaler.
- Never: The end device can have any version of the EPA client.
For more information, see Plug-in behaviors.
Considerations when EPA client is used with NetScaler and Device Posture
When an EPA client is used together with Device Posture Service and NetScaler, there might be scenarios where the end device is running the latest EPA client version whereas NetScaler is on a different version of the EPA client. This might result in a mismatch of the EPA client version on NetScaler and the end device. As a result, NetScaler might prompt the end user to install the EPA client version which is present on NetScaler. To avoid this conflict, we recommend the following configuration changes:
- If you have configured EPA with Adaptive Authentication or on-premises authentication or gateway virtual server, it is recommended that you disable version control of the EPA client on NetScaler. This is done to ensure that the GACS or Device Posture service does not push the latest version of the EPA client to the end devices.
The EPA version control can be set to Never by using the CLI or the GUI. These configuration changes are supported on NetScaler 13.x and later versions.
- CLI: Use the CLI commands for Adaptive Authentication and on-premises authentication virtual server.
- GUI: Use the GUI for the on-premises gateway virtual server. For details, see Control upgrade of Citrix Secure Access clients.
Sample CLI commands:
add rewrite action <rewrite_action_name> insert_http_header Plugin-Upgrade "\"epa_win:Never;epa_mac:Always;epa_linux:Always;vpn_win:Never;vpn_mac:Always;vpn_linux:Always;\""
add rewrite policy <rewrite_action_policy> "HTTP.REQ.URL.CONTAINS(\"pluginlist.xml\")" <rewrite_action_name>
bind authentication vserver <Authentication_Vserver_Name> -policy <rewrite_action_policy> -priority 10 -type RESPONSE