Providing access to virtual apps and desktops

Citrix Receiver requires configuration of either Web Interface or StoreFront to deliver apps and desktops from your XenApp or XenDesktop deployment.

Web Interface

There are two types of Web Interface sites: XenApp Services (formerly Program Neighborhood Services) sites and XenApp websites. Web Interface sites enable user devices to connect to the server farm.


You can configure StoreFront to provide authentication and resource delivery services for Citrix Receiver, enabling you to create centralized enterprise stores to deliver desktops and applications through XenApp and XenDesktop, and Worx Mobile Apps and mobile apps you’ve prepared for your organization through XenMobile.

Authentication between Citrix Receiver and a Web Interface site or a StoreFront store can be handled using a variety of solutions:

  • Users inside your firewall can connect directly to Web Interface or StoreFront.
  • Users outside your firewall can connect to StoreFront or the Web Interface through NetScaler Gateway.
  • Users outside your firewall can connect through NetScaler Gateway to StoreFront.

Connecting through NetScaler Gateway

NetScaler Gateway 10 and 11 are supported by Citrix Receiver for Android for access to:

  • Web Interface 5.4 XenApp Services Sites and XenApp Web Sites
  • StoreFront 2.6, 3.0, 3.5, 3.6, 3.7, 3.8, 3.9 and 3.11 stores

Both single-source and double-source authentication are supported on Web Interface sites and StoreFront.

You can create multiple session policies on the same virtual server depending on the type of connection (such as ICA, CVPN, or VPN) and type of Receiver (Web Receiver or locally installed Citrix Receiver). All of the policies can be achieved from a single virtual server.

When users create accounts on Citrix Receiver, they should enter the account credentials, such as their email address or the matching FQDN of your NetScaler Gateway server. For example, if the connection fails when using the default path, users should enter the full path to the NetScaler Gateway server.

To connect to XenMobile

To enable remote users to connect through NetScaler Gateway to your XenMobile deployment, you can configure NetScaler Gateway to work with AppController or StoreFront (both components of XenMobile). The method for enabling access depends on the edition of XenMobile in your deployment:

Enabling access to XenMobile 9:

Client Certificate Authentication

Enabling access to XenMobile 10:

NetScaler Gateway and XenMobile

If you deploy XenMobile in your network, allow connections from remote users to AppController by integrating XenMobile and AppController. This deployment allows users to connect to AppController to obtain their web, Software as a Service (SaaS), and mobile apps, and access documents from ShareFile. Users connect through either Citrix Receiver or the NetScaler Gateway Plug-in.

If you deploy XenMobile in your network, allow connections from internal or remote users to StoreFront through NetScaler Gateway by integrating NetScaler and StoreFront. This deployment allows users to connect to StoreFront to access published applications from XenApp and virtual desktops from XenDesktop. Users connect through Citrix Receiver.

To deploy windows and custom apps to your users, you must wrap the apps by using the MDX Toolkit. You can find more information here:

MDX Toolkit

Connecting to StoreFront

Citrix Receiver for Android supports launching sessions from Receiver for Web, provided that the web browser works with Receiver for Web. If launches do not occur, please configure your account through Citrix Receiver for Android directly.


When Citrix Receiver for Web is used from a browser, sessions are not launched automatically when downloading an .ICA file. The .ICA file must be opened manually shortly after its downloaded for the session to be launched.

With StoreFront, the stores you create consist of services that provide authentication and resource delivery infrastructure for Citrix Receiver. Create stores that enumerate and aggregate desktops and applications from XenDesktop sites and XenApp farms, making these resources available to users.

For administrators who need more control, Citrix provides a template you can use to create a download site for Receiver for Android.

Configure stores for StoreFront just as you would for other XenApp and XenDesktop applications. No special configuration is needed for mobile devices. For mobile devices, use either of these methods:

Provisioning files. You can provide users with provisioning files (.cr) containing connection details for their stores. After installation, users open the file on the device to configure Citrix Receiver automatically. By default, Receiver for Web sites offer users a provisioning file for the single store for which the site is configured. Alternatively, you can use the Citrix StoreFront management console to generate provisioning files for single or multiple stores that you can manually distribute to your users.

Manual configuration. You can directly inform users of the NetScaler Gateway or store URLs needed to access their desktops and applications. For connections through NetScaler Gateway, users also need to know the product edition and required authentication method. After installation, users enter these details into Citrix Receiver, which attempts to verify the connection and, if successful, prompts users to log on.

To configure Citrix Receiver to access apps:

When creating a new account, in the Address field, enter the matching URL of your store, such as

Continue by completing the remaining fields and select the NetScaler Gateway authentication method, such as enabling the security token, selecting the type of authentication, and saving the settings.

When adding an account using an automatic configuration you can enter the FQDN of a StoreFront server or NetScaler, or you can alternatively use an email address to create a new account. You are then prompted to enter the user credentials before logging on.

More information:

For more information about configuring access to StoreFront through NetScaler Gateway, see:

Managing Access to StoreFront Through NetScaler Gateway

Integrating StoreFront with NetScaler Gateway

Connecting to Web Interface

Citrix Receiver can launch applications through your Web Interface site. Configure the Web Interface site just as you would for other XenApp and XenDesktop apps and desktops. No special configuration is needed for mobile devices.

Citrix Receiver supports Web Interface version 5.4 only. In addition, users can launch applications from Web Interface 5.4 using the Firefox mobile browser.

To launch applications on the Android device:

From the device, users log into the Web Interface site using their normal logon and password.

For more information about configuring Web Interface sites see:

Configuring Web Interface

Keyboard layout synchronization

To enable keyboard layout synchronization, go to Settings inside Citrix Receiver for Android and check Enable client IME.


  • The VDA must be version 7.16 or later.
  • Administrators must enable the Enhanced support for Asian languages feature on the VDA. By default, the feature is enabled. However, on Windows Server 2016 VDA, you must add a new key called DisableKeyboardSync and set the value to 0 in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA\IcaIme to enable the feature.
  • Administrators must enable the Unicode keyboard layout mapping feature on the VDA. By default, the feature is disabled. To enable it, create the CtxKlMap key under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix and set DWORD value EnableKlMap = 1 under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxKlMap.


  • This feature works only on soft keyboards on the devices, not on external keyboards.
  • Certain mobile devices might not fully support keyboard layout synchronization, such as the Nexus 5x
  • The keyboard layout can only be synced from the client to the server. When changing the server-side keyboard layout, the client keyboard layout cannot be changed.
  • When you change the client keyboard layout to a non-compatible layout, the layout might be synced on the VDA side, but functionality cannot be confirmed.
  • Remote applications that run with elevated privileges (for example, applications you run as an administrator) can’t be synchronized with the client keyboard layout. To work around this issue, manually change the keyboard layout on the VDA or disable UAC.

Enabling smart card support

Receiver for Android mobile devices provides support for Bluetooth smart card readers with StoreFront, Web Interface-based site, or a PNA site. If smart card support is enabled, you can use smart cards for the following purposes:

  • Smart card logon authentication. Use smart cards to authenticate users to Receiver.
  • Smart card application support. Enable smart card-aware published applications to access local smart card devices.
  • Signing documents and email. Applications such as Microsoft Word and Outlook that are launched in ICA sessions can access smart cards on the mobile device for signing documents and email.

Supported smart cards:

  • PIV cards
  • Common Access Cards

Configuring smart card support on the device

  1. You must pair the smart card with the mobile device. For more information about how to pair smart card readers with the device, refer to the smart card reader specifications.

    Smart card support for Android devices has the following prerequisites and limitations:

    • Receiver supports this feature on all the Android devices listed by the Biometric Associates middleware.
    • Some users might have a global Pin number for smart cards; however, when users log on to a smart card account, they should enter the PIV pin, not the global smart card pin. This is a third-party limitation.
    • Smart card authentication might be slower than password authentication. For example, after disconnecting from a session, wait about 30 seconds before attempting to reconnect. Reconnecting to a disconnected session too quickly might cause Receiver to fail.
    • Smart card authentication is not supported for browser-based access or from a XenApp site.
  2. Install Android PC/SC-Lite service on the Android device before adding a smart-card aware account. This service is available in the form of an .apk file in the baiMobile SDK.

    For Android, the PC/SC-Lite .apk file can be downloaded from the Google Play Store.

  3. In Receiver, select the Settings icon, and select Accounts, select Add Account, or edit an existing account.

  4. Configure the connection, and turn on the smart card option.

Installing Citrix Receiver on an SD card

Citrix Receiver for Android is optimized for local installation on user devices. However, if devices have insufficient storage, users can install Receiver on an external SD card and mount it on the device to launch published apps on their mobile devices. This support is provided by default and no additional configuration is required.

To launch an app using the SD card, select the app from the list of Receiver apps on the user device, and then select Move to SD card.

If users opt to install Receiver on an external SD card to launch apps, the following issues exist:

  • Mounting a USB storage device while the SD card is mounted on the mobile device causes the SD card to become unavailable, and if apps were running, they stop running when the USB device is mounted.
  • Some AppWidgets (such as the home screen widgets) are not available when an app is running from the SD card. After unmounting the SD card, users must restart the AppWidgets.

If users install Receiver locally on their user devices, they can move Receiver to the SD card when needed.

Accessing files using file type association

As a prerequisite for this feature to work, go to the Receiver for Android settings and set the Use device storage option to Full Access.

Receiver for Android reads and applies the settings configured by administrators in Citrix Studio. To apply FTA in a session, ensure that users connect to the Store server where the FTA is configured.

On the user device, select the file you want to launch File Explorer and click Open. The Android operating system provides an option to launch the file using Receiver for Android (applying the FTA configured by the administrator) or a different application. Depending on your earlier selection, a default application might or might not be set. You can change the default application using the Change default option.


This feature is available only on StoreFront and requires XenApp and XenDesktop Version is 7 or later.


  • You can access only MIME file formats supported by Microsoft Office, Adobe Acrobat reader and Notepad applications using the file type association feature.