Example using UEM / MDM

To deploy Citrix VDA for macOS at scale, streamline the process with a UEM (Unified Endpoint Management) or MDM (Mobile Device Management) tool, which can assist with or automate the entire deployment.

Note:

Microsoft .NET 8.0 is required before processing the following steps. You may also deploy the .NET package to target devices directly from the Jamf Pro.

General Workflow:

Roles Responsibilities
IT Admin



  • Add the VDA package to JamfPro
  • Add a policy to install the package and run the script on the target devices
  • Add a script to enroll the VDAs to Citrix DaaS
  • Add a configuration profile to configure the privacy permissions for VDA
  • Create delivery groups and assign the desktops to users from Citrix DaaS
End User
  • Enable the screen recording permission for VDA locally or remotely
  • Sign in to the Citrix workspace and launch sessions

In this section, we use Jamf PRO as an example to provide a possible workflow and steps that you could reference.

Later in the article, we also provided a quick guide using Workspace ONE UEM.

Deployment with JAMF Pro

Section 1 - Deploy the virtual delivery agent for macOS package

This section describes the steps to install the virtual delivery agent for macOS on Mac devices and enroll the devices to the Citrix DaaS.

Add the package for virtual delivery agent for macOS:

  1. Double click the Apple Disk Image (.dmg) file provided by Citrix.

  2. Copy the package file Citrix VDA for macOS.pkg in it to another location.

    Note:

    We will upload this file to the Jamf Pro console later.

    Citrix_VDA

  3. Login to the Jamf Pro console, and navigate to Settings -> Computer management -> Packages.

  4. Click New to add a new package.

  5. Enter a display name for the package and upload the package file copied in step 1.

    New_Package

  6. Save the package.

Add a script to enroll the Mac devices to Citrix DaaS:

  1. Login to the Jamf Pro console, and navigate to Settings -> Computer management -> Scripts.

  2. Click New to add a new script.

  3. Enter the following fields for the script.

    Leave the other fields with default values or enter values based on your environment.

    • Display Name: Enroll Mac Devices to Citrix DaaS (you can change this name on your own)

    • Script: Select Shell/Bash for the mode and enter the following as the content. Replace the enrollment token with your own token in the script that was described in Steps to prepare in DaaS management console

      /opt/Citrix/VDA/bin/VdaEnrollmentTool -EnrollmentToken:eyJhbGciOiJSUzI (use-your-own-enrollment-token-here)-Restart

    • Priority: After

    New_Script

    New_Script_Shell

    New_Script_Option

  4. Save the script.

Add a policy to install the package and execute the script:

  1. Login to the Jamf Pro console, and navigate to Computers -> Policies.

  2. Click New to add a new policy.

  3. Enter the following fields for the General part.

    • Display Name: Install VDA for macOS (you can change this name on your own)

    • Trigger: Enter required details. This guide uses Recurring Check-in as the trigger events. Enter values based on your environment.

    • Execution frequency: Once per computer.

    New_Policy

  4. Click Packages, and add the package we created in the previous steps.

  5. Select Install for the action to take on computers.

    Policy_Package

  6. Click Scripts and add the script we created in the previous steps.

  7. Select After for the priority.

    Policy_Script

  8. Click the Scope tab, and specify the scope for this policy.

  9. Click Save to save the policy.

    When the policy is pushed to the managed devices, the virtual delivery agent for macOS is installed according to the trigger events you specify for the policy. You can then go to the Citrix DaaS console to view or assign the devices.

Section 2 - Create a Privacy Preferences Policy Control profile

In this section, we will create a PPPC profile for the virtual delivery agent for macOS.

This allows the virtual delivery agent to access Accessibility, and also allows a standard user to allow the virtual delivery agent to access Screen Recordings.

  1. Login to the Jamf Pro console, and navigate to Computers -> Configuration Profiles.

  2. Click New to add a new configuration profile.

  3. Enter a display name for the new profile, e.g. Privacy Settings - Citrix VDA for macOS.

  4. Select Privacy Preferences Policy Control.

  5. Click Configure.

  6. Add the following App Access configuration:

    • Identifier: com.citrix.ctxism

    • Identifier Type: Bundle ID

    • Code Requirement: identifier "com.citrix.ctxism" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /*exists*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /*exists*/ and certificate leaf[subject.OU] = S272Y5R93J

    • APP or SERVICE: add a new item and select Accessibility and Allow.

  7. Add the following App Access configuration.

    • Identifier: com.citrix.ctxgfx

    • Identifier Type: Bundle ID

    • Code Requirement: identifier "com.citrix.ctxgfx" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /*exists*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /*exists*/ and certificate leaf[subject.OU] = S272Y5R93J

    • APP or SERVICE: Add a new item and select ScreenCapture and Allow Standard Users to Allow Access.

  8. Specify the scope for the configuration profile on your own needs.

  9. Save the configuration profile.

    Privacy_Settings

After the configuration profile is pushed and installed to the managed devices, the Accessibility privacy permission is automatically allowed for the Citrix VDA but for the Screen Recording permission, it will still need a standard user to approve before the Citrix VDA can access it.

Section 3 (Optional) ‑ Enable webcam redirection

This section describes the steps to enable the webcam redirection.

First, we need to create a configuration profile to allow the webcam system extensions from Citrix.

  1. Login to the Jamf Pro console, and navigate to Computers ‑> Configuration Profiles.
  2. Click New to add a new configuration profile or update an existing configuration profile.
  3. Select System Extensions, and click Configure.
  4. Select Allowed System Extensions for System Extension Types.
  5. Enter S272Y5R93J for Team Identifier. Add the bundle ID com.citrix.mvda.vdacfg.cameraextension under Allowed System Extensions.
  6. Specify the scope for the configuration profile on your own needs.
  7. Save the configuration profile.
  8. Once the configuration profile is configured, it should look like this.

    sysext

Then, we need to create a script to activate the webcam system extension.

  1. Login to the Jamf Pro console, and navigate to Settings ‑> Computer management‑> Scripts.
  2. Click New to add a new script.
  3. Enter the following fields for the script.

    • Script: Select Shell/Bash for the mode and enter the following as the content.

      "/Applications/VDA Configuration.app/Contents/MacOS/VDA Configuration" activate-camera-redirection

    • Priority: After

  4. Add this script to a new or existing policy and configure the scope accordingly.

Section 4 (Optional) ‑ Enable Single Sign-On while logging in to the session

This section describes the steps to enable Single Sign-On while logging in to the session.

  1. Login to the Jamf Pro console, and navigate to Settings ‑> Computer management‑> Scripts.
  2. Click New to add a new script.
  3. Enter the following fields for the script.
    • Script: Select Shell/Bash for the mode and enter the following as the content. Replace the option value according to your own needs. You can check the available options from the Single Sign-On guide. /usr/bin/osascript /opt/Citrix/VDA/bin/ctxsso.scpt -option 1 -silent

    • Priority: After

  4. Add this script to a new or existing policy and configure the scope accordingly.

Section 5 - Allow Screen Recording for Citrix VDA on managed devices

This section describes the steps to allow screen recording for Citrix VDA on the managed devices.

When the configuration profile created in the previous step is installed on the managed devices, the screen recording permission still needs to be allowed manually to make Citrix VDA work.

  1. Logon to the target Mac devices using any standard or admin user.

    Note:

    You may consider enabling remote desktop for the target devices to allow remote access if the target devices cannot be accessed locally.

    Check the Remote Commands for Computers for more information from the Jamf Pro docs. After this command is performed on a target device, users can then remotely access this device using any VNC clients.

  2. Open the System Settings app, and navigate to Privacy & Security.

  3. Click Screen & System Audio Recording.

  4. Find Citrix Graphics Service in the list and click the toggle to enable it.

    Screen_Recording

After the permission is properly configured, this target device will be ready for session launches from Citrix Workspace App.

Quick guide using Workspace ONE UEM

  1. Log into the Workspace UEM console.

  2. Go to Resources > Profile & Baselines > Add > Add Profile.

    UEM

  3. Select macOS.

    UEM1

  4. Select Device Profile.

    UEM2

  5. Scroll down to Privacy Preferences.

  6. Click the Add Button.

    UEM3

  7. Enter the Identifier: com.citrix.ctxism

  8. Select Bundle ID.

  9. Enter the Code requirement: identifier "com.citrix.ctxism" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /*exists*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /*exists*/ and certificate leaf[subject.OU] = S272Y5R93J

  10. Scroll down and set the Accessibility to Allow.

    UEM5

  11. Click the + ADD adding a second Privacy Preference.

  12. Enter the Identifier: com.citrix.ctxgfx

  13. Select Bundle ID.

  14. Enter the Code requirement: identifier "com.citrix.ctxgfx" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /*exists*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /*exists*/ and certificate leaf[subject.OU] = S272Y5R93J

    uem6

  15. Scroll down and set the Screen Capture to Allow standard User to set system service.

    uem7

  16. Press the Next button at the bottom right and assign the profile.

Example using UEM / MDM