You can integrate your Citrix deployment with Workspace ONE Access (formerly called VMware Identity Manager) to provide users the ability to access their assigned Citrix-published resources from the Workspace ONE Intelligent Hub app or portal. Citrix-published resources include applications and desktops in Citrix XenApp and XenDesktop server farms. Desktops are also referred to as Citrix-published delivery groups.
You manage Citrix-published applications and desktops in the Citrix management console. You also set user and group entitlements in the Citrix console, not in the Workspace ONE Access console. You must sync these users and groups to the Workspace ONE Access service from Active Directory before integrating Workspace ONE Access with the Citrix server farms.
To integrate Citrix server farms with Workspace ONE Access, you create one or more virtual apps collections in the Workspace ONE Access console. The collections contain the configuration information for the server farms as well as sync settings.
You can set up a sync schedule for each collection to regularly sync resources and entitlements from the Citrix server farms to the Workspace ONE Access service.
After you integrate the Citrix server farms, you can view the synced resources and entitlements in the Workspace ONE Access console.
End users can launch Citrix-published applications and desktops from the Intelligent Hub app or portal. They install Citrix Workspace app (formerly called Citrix Receiver) on their systems and devices to access the resources to which they are entitled.
Supported Citrix Versions
- Workspace ONE Access supports the following Citrix versions:
- Citrix Virtual Apps and Desktops 7 1912 LTSR
- XenApp and XenDesktop 7.15 LTSR
- XenApp and XenDesktop 7.6 LTSR
- Workspace ONE Access connects to the Citrix server farm using the Citrix StoreFront API. In your Citrix deployment, make sure that the StoreFront version corresponds to the Citrix server farm version.
Note: Workspace ONE Access does not support Citrix Web Interface.
Supported Citrix Authentication Methods
Workspace ONE Access only supports password-based authentication on the XenApp server or NetScaler server. It does not support other authentication methods such as Smart Card, HTML 5, 2 factor authentication, or SAML authentication (Citrix FAS).
Supported Citrix Features
Workspace ONE Access supports the following XenApp and XenDesktop features.
- Application and desktop launch with Citrix StoreFront API
- External launch with NetScaler
- Application group functionality
Workspace ONE Access supports the application group feature available in Citrix deployment versions 7.15 LTSR and 1912 LTSR. Application groups are a logical grouping of applications and desktops, and entitlements can be provided at the application group level.
- Disabling applications on the XenApp and XenDesktop server
If the administrator disables an application on the XenApp or XenDesktop server, the application is hidden in Workspace ONE Access.
- Limiting visibility for an application
This feature sets the visibility for an application. Workspace ONE Access honors the entitlements set at the application level.
- Showing an application to the entire delivery group
In XenApp and XenDesktop, visibility for an application can be set to Show this application to entire delivery group. The application inherits the entitlements from the delivery group.
- Entitlements at the desktop level
Workspace ONE Access honors entitlements for desktops that are set at the desktop level.
- Static desktop sync and launch
Static desktops configured in XenApp and XenDesktop can be synced and launched from Workspace ONE Access.
Citrix StoreFront Requirements
The Virtual App service uses the Citrix StoreFront REST API to authenticate with and generate ICA files from the Citrix deployment to launch desktops and applications.
Make sure that you meet the following requirements for StoreFront.
- Ensure that StoreFront is supported by the Citrix server farm version that you are using and that the StoreFront version corresponds to the Citrix server farm version.
- Ensure that all instances of the Workspace ONE Access Virtual App service can communicate with the StoreFront server.
- Ensure that you specify the same farm name in StoreFront and in the Citrix Delivery Controller or XML Broker.
- If the StoreFront URL is behind a load balancer, ensure that the load balancer does not have any additional authentication requirements such as MFA. The Virtual App service must be able to access the StoreFront URL without additional authentication requirements from the load balancer.
The Virtual App service only supports the NetScaler load balancer. It does not support any other load balancers.
- Workspace ONE Access only supports user name and password authentication on the XenApp server or NetScaler server. It does not support other authentication methods such as Smart Card, HTML 5, 2 Factor Authentication, or SAML Authentication (Citrix FAS).
- In the StoreFront server, when you configure authentication for a store, trusted domains can be configured for the "User name and password" authentication method. If you configure trusted domains, ensure that you add domain names in the fully qualified domain name format to the "Trusted domains" list. If you use NetBIOS names for StoreFront, add the fully qualified domain name in addition to the NetBIOS name. Workspace ONE Access requires the fully qualified domain name. If only the NeTBIOS name is added, Citrix application and desktop launch from Workspace ONE will fail.