Multi-workspace URLs support - Preview

Administrators can apply distinct device posture policies to different Citrix Workspace™ access URLs, offering granular control and simplified security management.

Previously, the Device Posture service was enabled globally across all workspace URLs, preventing administrators from applying specific requirements on a per-URL basis.

With multi-workspace URLs support, you can now do the following:

• Apply distinct device posture checks for specific workspace URLs.
• Enforce varying levels of device compliance based on the workspace URL that users access.
• Create and test device posture checks on test workspace URLs before deploying to production URLs.

Important considerations

Before implementing multi-workspace URLs, note the following:

• Service continuity might be interrupted during initial setup or due to misconfiguration. We recommend testing this feature in a controlled test environment before deploying to production.

• Use a phased approach to minimize end-user impact during rollout:

  • Create a new workspace URL specifically for a small group of test users.
  • Keep your existing production workspace URL operational with its current configuration.

  This approach allows you to validate the multi-workspace URLs feature without disrupting the broader user base.

Prerequisites

• Supported platforms: Windows, macOS and iOS

• Multi-workspace URLs support is available in the following EPA clients:

  • Windows: Version 25.2.1.18 and later. Download link.
  • macOS: Version 25.6.10 and later. Download link.
  • iOS: Citrix Workspace app (CWA) version 25.5.0 and later (installed from App Store).
• Fill out the form for us to enable this feature in the back end.

Note:

• Users accessing from devices running on platforms other than Windows, macOS, or iOS are treated as non-supported and follow the default behavior configured by the administrator in the Device Posture service console:

  • Devices on non-supported platforms are marked as Non-compliant by default.
  • You can change the classification from Non-compliant to Denied login from the Settings tab on the Device Posture page.
  • For the definitions of “compliant” and “non-compliant,” see Definitions.

• The EPA clients on endpoints must use the versions specified in the prerequisites section. If clients use older versions, device scans fail to start. For Windows administrators, this requirement is simplified because the EPA client is bundled with Citrix Secure Access™ Client for Windows 2505.

• You can also skip device posture checks for non-supported devices. For details, see Skip device posture checks.

Configure multi-workspace URLs

1. Ensure workspace URLs are configured via Workspace configuration > Access.

   

2. To access Device Posture, log in to Citrix Cloud™ and navigate to Identity and Access Management > Device Scans in the Device Posture navigation bar.

3. Click Configure Device Posture and then click Settings.

4. Select Use different device scans per Workspace URL.

5. To modify the device posture preference, click Change.

Note:

• When the Use different device scans per Workspace URL option is enabled, all existing global scans become inactive. You must configure new scans individually for each workspace URL.
• After configuring and saving new scans, users are prompted to re-authenticate within 1-2 hours to ensure that their login sessions are evaluated using the new configuration.