Citrix Workspace Intune

29-04-2021
 |  [RAND-100] - Comments



-->

  1. Install Citrix Workspace Intune
  2. Citrix Workspace Configuration Intune

Intune applications. The following Intune applications can be found in the Azure Portal at Intune Apps All apps. Citrix Workspace App. Name: Citrix Workspace App Type: Windows app (Win32). Dec 23, 2017 If you’ve deployed Windows 10 Modern Management you’ll know that some applications present a challenge for deployment, because Windows 10 MDM supports the Win32 applications via a single MSI file only. Applications such as Citrix Receiver, that are a single EXE (that wraps multiple MSI files), can, therefore, be challenging. You can create a custom wrapper to deploy Receiver, but this. From the Intune Management Portal go to – Device Configuration – Profiles and choose Create Profile. Here you enter the name and description of the Profile. So in my next blog I will show you can can upgrade the Citrix Receiver application to the new Citrix Workspace application! Share this: Click to share on Twitter (Opens in new.

  1. Microsoft Intune is most compared with Jamf Pro, IBM MaaS360, SOTI MobiControl, ManageEngine Desktop Central and Cisco Meraki Systems Manager (MDM+EMM), whereas VMware Workspace ONE is most compared with VMware Horizon 7, Jamf Pro, Citrix Workspace, Microsoft Remote Desktop Services and SOTI MobiControl.
  2. We are hoping to deploy the latest Citrix Workspace app using Microsft Intune. Historically we were using the.bat provided by Citrix to deploy using GPO, so we are not sure if anyone here has used Intune to push the app.

Virtual private networks (VPNs) give users secure remote access to your organization network. Devices use a VPN connection profile to start a connection with the VPN server. VPN profiles in Microsoft Intune assign VPN settings to users and devices in your organization. Use these settings so users can easily and securely connect to your organizational network.

Workspace

This feature applies to:

  • Android device administrator
  • Android Enterprise personally-owned devices with a work profile
  • iOS/iPadOS
  • macOS
  • Windows 10 and newer
  • Windows 8.1 and newer

For example, you want to configure all iOS/iPadOS devices with the required settings to connect to a file share on the organization network. You create a VPN profile that includes these settings. You assign this profile to all users who have iOS/iPadOS devices. The users see the VPN connection in the list of available networks, and can connect with minimal effort.

This article lists the VPN apps you can use, shows you how to create a VPN profile, and includes guidance on securing your VPN profiles. You must deploy the VPN app before you create the VPN profile. If you need help deploying apps using Microsoft Intune, see What is app management in Microsoft Intune?.

Install citrix workspace intune

Note

Citrix Workspace Intune

  • User enrollment for iOS/iPadOS and macOS only supports per-app VPN.

  • You can use Intune custom configuration policies to create VPN profiles for the following platforms:

    • Android 4 and later
    • Enrolled devices that run Windows 8.1 and later
    • Enrolled devices that run Windows 10 desktop
    • Windows Holographic for Business

VPN connection types

Important

Before you can use VPN profiles assigned to a device, you must install the VPN app for the profile. To help you assign the app using Intune, see Add apps to Microsoft Intune.

You can create VPN profiles using the following connection types:

  • Automatic

    • Windows 10

  • Check Point Capsule VPN

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile: Use app configuration policy
    • iOS/iPadOS
    • macOS
    • Windows 10
    • Windows 8.1

  • Cisco AnyConnect

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • macOS
    • Windows 10

  • Cisco (IPSec)

    • iOS/iPadOS

  • Citrix SSO

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile: Use app configuration policy
    • Android Enterprise fully managed and corporate-owned work profiles: Use app configuration policy
    • iOS/iPadOS
    • Windows 10

  • Custom VPN

    • iOS/iPadOS
    • macOS

    Create custom VPN profiles using URI settings in Create a profile with custom settings.

  • F5 Access

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • macOS
    • Windows 10
    • Windows 8.1

  • IKEv2

    • iOS/iPadOS
    • Windows 10

  • L2TP

    • Windows 10

  • Microsoft Tunnel (standalone client)

    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS

    Important

    In preparation for the public preview of Tunnel client functionality in the Microsoft Defender for Endpoint app, the VPN profile connection type for the Microsoft Tunnel client app has been renamed to Microsoft Tunnel (standalone client). At this time, you should use the Microsoft Tunnel (standalone client) connection type, not the Microsoft Tunnel connection type.

  • NetMotion Mobility

    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • macOS

  • Palo Alto Networks GlobalProtect

    • Android Enterprise personally owned devices with a work profile: Use app configuration policy
    • Android Enterprise fully managed and corporate-owned work profile: Use app configuration policy
    • iOS/iPadOS
    • Windows 10

  • PPTP

    • Windows 10

  • Pulse Secure

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • Windows 10
    • Windows 8.1

  • SonicWall Mobile Connect

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • macOS
    • Windows 10
    • Windows 8.1

  • Zscaler

    • Android Enterprise personally owned devices with a work profile: Use app configuration policy
    • Android Enterprise fully managed and corporate-owned work profile: Use app configuration policy
    • iOS/iPadOS

Create the profile

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > Configuration profiles > Create profile.

  3. Enter the following properties:

    • Platform: Choose the platform of your devices. Your options:
      • Android device administrator
      • Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile
      • Android Enterprise > Personally-owned work profile
      • iOS/iPadOS
      • macOS
      • Windows 10 and later
      • Windows 8.1 and later
    • Profile: Select VPN. Or, select Templates > VPN.

  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is VPN profile for entire company.
    • Description: Enter a description for the profile. This setting is optional, but recommended.

  6. Select Next.

  7. In Configuration settings, depending on the platform you chose, the settings you can configure are different. Select your platform for detailed settings:

    • Windows 10 (including Windows Holographic for Business)

  8. Select Next.

  9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, see Use RBAC and scope tags for distributed IT.

    Select Next.

  10. In Assignments, select the user or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.

    Select Next.

  11. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Secure your VPN profiles

VPN profiles can use many different connection types and protocols from different manufacturers. These connections are typically secured through the following methods.

Certificates

When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in Intune. This profile is known as the identity certificate. It's used to authenticate against a trusted certificate profile (or root certificate) that you create to allow the user's device to connect. The trusted certificate is assigned to the computer that authenticates the VPN connection, typically, the VPN server.

If you use certificate-based authentication for your VPN profile, then deploy the VPN profile, certificate profile, and trusted root profile to the same groups. This assignment makes sure each device recognizes the legitimacy of your certificate authority.

For more information about how to create and use certificate profiles in Intune, see How to configure certificates with Microsoft Intune.

Note

Certificates added using the PKCS imported certificate profile aren't supported for VPN authentication. Certificates added using the PKCS certificates profile are supported for VPN authentication.

User name and password

The user authenticates to the VPN server by providing a user name and password, or derived credentials.

Next steps

  • Assign the profile and monitor its status.
  • You can also create and use per-app VPNs on Android device administrator/Android Enterprise and iOS/iPadOS devices.
downloadWhy can't I download this file?Install Citrix Workspace Intune
GPO configuration
To configure DPI scaling using the Citrix Receiver Group Policy Object administrative template (administrators only)
  1. Open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Receiver > DPI
  3. Select High DPI policy.
  4. Change the settings as required.
  5. Click Apply and OK.
  6. From a command line, run the gpupdate /force command.
Receiver for Windows or Citrix Workspace app for Windows Advanced Preferences UI configuration:
To configure DPI scaling using the graphical user interface:
Note:
You can hide all or part of the Advanced Preferences sheet available from the Citrix Workspace app icon in the notification area. For more information, see Hiding the Advanced Preferences sheet.
  1. Right-click Citrix Receiver for Windows from the notification area.
  2. Select Advanced Preferences and click DPI settings. The DPI settings dialog appears.
  3. Change the settings as required. By default, the option Let the operating system scale the resolution is selected.
  4. Click Save.
  5. Restart the Citrix Receiver for Windows session for the changes to take effect.

Use cases

There are three possible settings for DPI Scaling in the receiver, Scaled, Unscaled and Operating system Scaling. The use cases for the different settings are as follows:
Use case: Operating System Scaling (also known as DPI scaling)
OS scaling is the default and is identical in behavior to previous receiver versions. This corresponds to the UI setting “Let the operating system scale the resolution”, or the High DPI policy set to disabled. This lets Windows handle all DPI scaling. The resolution on the VDA will be scaled and based on the DPI, resulting in a smaller resolution than the client device. This works well for single monitor sessions, and is efficient when connecting to XenApp 6.5 hosts, or supported XenApp/XenDesktop VDAs configured for Legacy Graphics.
This method does not support Mixed DPI; all monitors must have the same DPI or the session will not work. Scaling can cause blurriness in the images, particularly in the case of text. This setting is recommended for users on Windows 7 endpoints if DPI matching is not possible, or those connecting to Legacy VDAs. It can also be used on Windows 10 if there is no Mixed DPI.
Enhancements to the Operating System scaling since Receiver for Windows 4.10
Citrix Workspace app (CWA) for Windows version 1808
CWA for Windows version 1808 provides improvements in graphics quality for sessions using legacy graphics mode (GDI graphics mode), when DPI Scaling is enabled on the client.
Note: The Legacy graphics mode HDX policy can be used for any currently supported Server OS VDA version that supports Windows Server 2008 R2.
The feature enhancement leverages DirectX 11-based scaling on the client where CWA for Windows version 1808 is installed. Because of this, this feature enhancement is not available for Windows 7 client endpoints; as Windows 7 does not support DirectX 11.
Graphics quality improvements will also be seen in double-hop scenarios. Refer to the list below for use cases that support this feature enhancement:
Single-hop
Client endpoint OS: Supported versions of Windows 10 with CWA for Windows installed and DPI Scaling enabled.
VDA OS: Windows Server 2008 R2.
Double-hop
Client endpoint OS: Supported versions of Windows 10 with CWA for Windows installed and DPI Scaling enabled.
1st hop VDA OS: Citrix support versions of Windows 10 with CWA for Windows installed and DPI Scaling enabled.
2nd hop VDA OS: Windows Server 2008 R2.
Notes:
Citrix Workspace IntuneDPI scaling functionality is supported with HDX Windows media redirection, Flash redirection and Browser content redirection features with XenApp and XenDesktop 7.16 (and higher versions).
Use case: Scaled (also known as client scaling)
CitrixThe Scaled setting will scale the resolution on the VDA similarly to OS Scaling, however this setting will support mixed DPI scenarios. This corresponds to the UI setting “Yes”, or the High DPI policy set to enabled and the option for “Scale the session for high resolution” set to “Yes”. This setting works well for mixed DPI scenarios when connecting to supported XenApp & XenDesktop and Citrix Virtual Apps & Desktops VDAs. This is the only way to scale Seamless sessions with mixed DPI.
Considerations when using Scaled configuration:
  • Scaling can cause blurriness in the images, particularly in the case of text.
  • There can be poor performance when connecting to Legacy VDAs (XenApp 6.5, or supported VDAs configured for Legacy Graphics).
  • Local App Access, RTOP, and other plugins that use the window positioning API do not work with Scaling.
  • Seamless apps will “jump” between monitors in this mode to maintain correct scaling, this is by design.

This setting is recommended for users on Windows 10 endpoints connecting to currently supported VDAs. It supports mixed DPI without any additional impact on server resources.
Use case: Unscaled (includes DPI matching feature)
This corresponds to the UI setting “No”, or the High DPI policy set to enabled and the option for “Scale the session for high resolution” set to “No”.
This setting should not cause any blurriness due to scaling because the full-unscaled resolution of all monitors is sent to the session.
Enabling the unscaled setting will create sessions with higher resolution (as compared to scaled sessions), which can impact server performance and scalability, as well as increased bandwidth usage over the HDX connection. For this reason, customers will need to decide whether configuring for unscaled or scaled is more suited to their needs.
This setting is recommended for desktop sessions requiring the best image quality, where the additional server resource usage is acceptable.
Unscaled with DPI matching
The desktop session will launch with a DPI value that matches the DPI value of the endpoint monitor on which the session displays. This will result in text, icon and other object sizes in the desktop session matching that of the endpoint’s monitor.
It is also possible for users to change the endpoint monitor’s DPI value mid-session, which will correspondingly change the desktop session’s DPI value to match. Doing so will also change the desktop session’s display resolution.
Requirements:
  • Endpoint: Windows 7 or Windows 10 with minimum Citrix Workspace app for Windows 1811 installed.
  • VDA: Windows 10 with minimum VDA version 1811 installed.

Limitations:
  • The DPI matching feature is only supported for desktop sessions; seamless sessions are not supported.

Unscaled without DPI matching
When DPI matching is not possible, the unscaled setting will still mean the full resolution is sent but without DPI matching. This can result in small text and icons in apps and desktop sessions.
The DPI can still be set within the VDA after session launch, resulting in the desired text and icon sizes, though this is not possible on RDS desktops, or seamless applications.
Requirements:
  • Endpoint: Windows 7 or Windows 10 with minimum Receiver for Windows 4.10 installed (4.11 recommended to resolve some display issues).
  • VDA: Currently supported VDA versions on supported Windows Server OS and Desktop OS versions.

Limitations:

Citrix Workspace Configuration Intune

  • Even with one of the High DPI settings enabled, a slight blur has been observed in the desktop viewer UI.
  • In a session, when you change the DPI settings and relaunch it, the size of the session window might not be appropriate. As a workaround, resize the session window.

Additional Resources