You can integrate your Citrix deployment with Workspace ONE Access to provide users access to their assigned Citrix-published resources from the Workspace ONE Intelligent Hub app or portal. Citrix-published resources include applications and desktops in Citrix XenApp and XenDesktop server farms. Desktops are also referred to as Citrix-published delivery groups.
You manage Citrix-published applications and desktops in the Citrix management console. You also set user and group entitlements in the Citrix console, not in the Workspace ONE Access console. You must sync these users and groups to the Workspace ONE Access service from Active Directory before integrating Workspace ONE Access with the Citrix server farms.
To integrate Citrix server farms with Workspace ONE Access, you create one or more virtual apps collections in the Workspace ONE Access console. The collections contain the configuration information for the server farms, and also contain sync settings.
You can set up a sync schedule for each collection to regularly sync resources and entitlements from the Citrix server farms to the Workspace ONE Access service.
After you integrate Citrix server farms, you can view the synced resources and entitlements in the Workspace ONE Access console.
End users can launch Citrix-published applications and desktops from the Intelligent Hub app or portal. They install Citrix Workspace app, formerly called Citrix Receiver, on their systems and devices to access the resources to which they are entitled.
Supported Citrix Versions
- Workspace ONE Access supports the following Citrix versions:
- Citrix Virtual Apps and Desktops 7 2203 Long Term Service Release (LTSR)
- Citrix Virtual Apps and Desktops 7 1912 LTSR
- XenApp and XenDesktop 7.15 LTSR
- XenApp and XenDesktop 7.6 LTSR
- Workspace ONE Access supports the following versions of Citrix Gateway:
Note: If you cannot use any of these versions, an option is to set up a StoreFront server to generate ICA files for Citrix Gateway. See External Access With Citrix Gateway (NetScaler) Configured as ICA Proxy.
- Workspace ONE Access connects to the Citrix server farm using the Citrix StoreFront API. In your Citrix deployment, make sure that the StoreFront version corresponds to the Citrix server farm version.
Note: Workspace ONE Access does not support Citrix Web Interface.
Supported Citrix Authentication Methods
Workspace ONE Access only supports password-based authentication on the XenApp or Citrix Gateway server. It does not support other authentication methods such as Smart Card, HTML 5, 2 factor authentication, or SAML authentication (Citrix FAS).
Supported Citrix Features
Workspace ONE Access supports the following Citrix features.
- Application and desktop launch with Citrix StoreFront API
- External launch with Citrix Gateway
- Multi-site aggregation
The Citrix multi-site aggregation feature aggregates and de-duplicates application and desktop resources from multiple sites. If multi-site aggregation is configured in StoreFront, select the corresponding setting, Enable multi-site aggregation, for the virtual app collection in Workspace ONE Access.Important:
- Workspace ONE Access connector 22.09 and later support multi-site aggregation.
- To configure multi-site aggregation in Workspace ONE Access, you must complete additional prerequisites.
- Keyword filtering
The Citrix keyword filtering feature lets administrators control resource display and launch by using keywords. If keyword filtering is configured in StoreFront, select the corresponding setting, Enable Citrix keyword filtering, in the Workspace ONE Access connector installer.Important:
- Workspace ONE Access connector 22.09 and later support keyword filtering.
- To configure keyword filtering in Workspace ONE Access, you must complete additional prerequisites.
- Application group functionality
Workspace ONE Access supports the application group feature available in Citrix deployment versions 7.15 LTSR, 1912 LTSR, and 2203 LTSR. Application groups are a logical grouping of applications and desktops, and entitlements can be provided at the application group level.
- Disabling applications on the XenApp and XenDesktop server
If the administrator deactivates an application on the XenApp or XenDesktop server, the application is hidden in Workspace ONE Access.
- Limiting visibility for an application
This feature sets the visibility for an application. Workspace ONE Access honors the entitlements set at the application level.
- Showing an application to the entire delivery group
In XenApp and XenDesktop, visibility for an application can be set to Show this application to entire delivery group. The application inherits the entitlements from the delivery group.
- Entitlements at the desktop level
Workspace ONE Access honors entitlements for desktops that are set at the desktop level.
- Static desktop sync and launch
Static desktops configured in XenApp and XenDesktop can be synced and launched from Workspace ONE Access.
Citrix StoreFront Requirements
The Virtual App service uses the Citrix StoreFront REST API to authenticate with and generate ICA files from the Citrix deployment to launch desktops and applications.
Make sure that you meet the following requirements for StoreFront.
- Ensure that StoreFront is supported by the Citrix server farm version that you are using and that the StoreFront version corresponds to the Citrix server farm version.
- Ensure that all instances of the Workspace ONE Access Virtual App service can communicate with the StoreFront server.
- Ensure that you specify the same farm name in StoreFront and in the Citrix Delivery Controller or XML Broker.
- If the StoreFront URL is behind a load balancer and the load balancer has additional authentication requirements such as multi-factor authentication (MFA), you must set up a separate authentication policy for the Virtual App service traffic. See Configuring Citrix Gateway Authentication Policies for Workspace ONE Access.
- The Virtual App service only supports the Citrix Gateway load balancer. It does not support any other load balancers.
You must configure the load balancer with source IP-based session persistence.
- Workspace ONE Access only supports user name and password authentication on the XenApp server or the Citrix Gateway server. It does not support other authentication methods such as Smart Card, HTML 5, 2 Factor Authentication, or SAML Authentication (Citrix FAS).
- In the StoreFront server, when you configure authentication for a store, trusted domains can be configured for the "User name and password" authentication method. If you configure trusted domains, ensure that you add domain names in the fully qualified domain name format to the "Trusted domains" list. If you use NetBIOS names for StoreFront, add the fully qualified domain name in addition to the NetBIOS name. Workspace ONE Access requires the fully qualified domain name. If only the NeTBIOS name is added, Citrix application and desktop launch from Workspace ONE fails.
- If StoreFront has multi-site aggregation or keyword filtering configured, additonal requirements apply for Workspace ONE Access to support these features. See Configuring Citrix Multi-site Aggregation and Keyword Filtering in Workspace ONE Access.