System requirements and compatibility

Citrix Workspace app for Mac supports the following operating systems:

At any point in time, Citrix supports only the latest and the previous two macOS operating systems (N, N-1, and N-2) only.

Compatible Citrix products

Citrix Workspace app is compatible with all the currently supported versions of Citrix Virtual Apps and Desktops, Citrix DaaS (formerly Citrix Virtual Apps and Desktops service), and Citrix Gateway as listed in the Citrix Product Lifecycle Matrix.

Compatible browsers

Citrix Workspace app for Mac is compatible with the following browsers:

Hardware requirements

Connections, Certificates, and Authentication

Connections

Citrix Workspace app for Mac supports the following connections to Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service):

Citrix Workspace app for Mac supports the following configurations:

For LAN connections For secure remote or local connections
StoreFront using StoreFront services or Citrix Receiver for website; Citrix Gateway 12.x-13.x, including VPX

Certificates

Important:

If you’re running macOS 10.15, ensure that your system is compliant with Apple’s requirements for trusted certificates in macOS 10.15. Perform this check before you upgrade to Citrix Workspace app for Mac version 2106.

Private (Self-signed) certificates

If a private certificate is installed on the remote gateway, you must install the root certificate for the organization’s certificate authority on the user device. Then, you can successfully access Citrix resources using Citrix Workspace app for Mac.

Note:

When the remote gateway’s certificate can’t be verified upon connection, an untrusted certificate warning appears, as the root certificate isn’t included in the local keystore. When a user continues to add a store, the store addition fails. However, on the web browser, the user might be able to authenticate to the store but connections to sessions fail.

Importing root certificates for devices

Obtain the certificate issuer’s root certificate and email it to an account configured on your device. When clicking the attachment, you’re asked to import the root certificate.

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app for Mac supports wildcard certificates.

Intermediate certificates with Citrix Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be mapped to the Citrix Gateway server certificate. For information on this task, see Citrix Gateway documentation. For more information about installing, linking, and updating certificates, see How to Install and Link Intermediate Certificate with Primary CA on Citrix Gateway.

Server Certificate Validation Policy

Citrix Workspace app for Mac has a stricter validation policy for server certificates.

When validating a server certificate, Citrix Workspace app for Mac uses all the certificates supplied by the server (or gateway). Citrix Workspace app for Mac then checks whether the certificates are trusted. If none of the certificates are trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app for Mac’s connection to fail.

Suppose that a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Workspace app for Mac.

Then, Citrix Workspace app for Mac checks that all these certificates are valid. Citrix Workspace app for Mac also checks that it already trusts the “Root Certificate”. If Citrix Workspace app for Mac does not trust the “Root Certificate”, the connection fails.

Important

Some certificate authorities have more than one root certificate. If you require this stricter validation, ensure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (“DigiCert/GTE CyberTrust Global Root”, and “DigiCert Baltimore Root/Baltimore CyberTrust Root”) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (“DigiCert Baltimore Root/Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the gateway, Citrix Workspace app for Mac connections on those user devices fail. Consult the certificate authority’s documentation to determine which root certificate must be used. Root certificates eventually expire, as do all certificates.

Note:

Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

Now suppose that a gateway is configured with these valid certificates. This configuration, omitting the root certificate, is normally recommended:

Then, Citrix Workspace app for Mac uses these two certificates. It then searches for a root certificate on the user device. If it finds a trusted certificate that validates correctly, such as “Example Root Certificate”, the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app for Mac needs, but also allows Citrix Workspace app for Mac to choose any valid, trusted, root certificate.

Now suppose that a gateway is configured with these certificates:

A web browser might ignore the wrong root certificate. However, Citrix Workspace app for Mac does not ignore the wrong root certificate, and the connection fails.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

Important

Some certificate authorities use a cross-signed intermediate certificate, intended for situations when there’s more than one root certificate. An earlier root certificate is still in use at the same time as a later root certificate. In this case, there are at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “Verisign Class 3 Public Primary Certification Authority - G5.” However, a corresponding later root certificate “Verisign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority.” The later root certificate does not use a cross-signed intermediate certificate.

Note

The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To), but the cross-signed intermediate certificate has a different Issuer name (Issued By). This difference in name distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such “Example Intermediate Certificate 2”).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

Avoid configuring the gateway to use the cross-signed intermediate certificate, as it selects the earlier root certificate:

It isn’t recommended to configure the gateway with only the server certificate:

In this case, if Citrix Workspace app for Mac can’t locate all the intermediate certificates, the connection fails.

Authentication

For connections to StoreFront, Citrix Workspace app for Mac supports the following authentication methods:

Authentication method Workspace for Web using browsers StoreFront Services site (native) Citrix Gateway to Workspace for Web (browser) Citrix Gateway to StoreFront Services site (native)
Anonymous Yes Yes
Domain Yes Yes Yes* Yes*
Domain pass-through
Security token Yes* Yes*
Two-factor authentication (domain with security token) Yes* Yes*
SMS Yes* Yes*
Smart card Yes Yes Yes* Yes
User certificate Yes Yes (Citrix Gateway Plug-in)

*Available only for deployments that include Citrix Gateway, with or without installing the associated plug-in on the device.

Connectivity requirements

Feature flag management

If an issue occurs with Citrix Workspace app in production, we can disable an affected feature dynamically in Citrix Workspace app even after the feature is shipped. To do so, we use feature flags and a third-party service called LaunchDarkly.

You do not need to make any configurations to enable traffic to LaunchDarkly, except when you have a firewall or proxy blocking outbound traffic. In that case, you enable traffic to LaunchDarkly via specific URLs or IP addresses, depending on your policy requirements.

You can enable traffic and communication to LaunchDarkly in the following ways:

Enable traffic to the following URLs

List IP addresses in an allow list

If you must list IP addresses in an allow list, for a list of all current IP address ranges, see LaunchDarkly public IP list. You can use this list to ensure that your firewall configurations are updated automatically in keeping with the infrastructure updates. For details about the status of the infrastructure changes, see LaunchDarkly Statuspage page.

LaunchDarkly system requirements

Ensure that the apps can communicate with the following services if you have split tunneling on Citrix ADC set to OFF for the following services:

Provision to disable LaunchDarkly service through MDM tool

Starting with version 2210, you can disable the LaunchDarkly service on Citrix Workspace app, irrespective of whether their users are inside or outside the organization’s firewall. To disable the LaunchDarkly service, set the value for the DisableFeatureFlag setting to True.

This service is available for admins who manage Mac devices using the MDM tool.

Note:

Disabling the FeatureFlag requires the admin to restart the device for this setting to take effect.

For more information on how to use MDM, see Mobile Device Management.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

DIESER DIENST KANN ÜBERSETZUNGEN ENTHALTEN, DIE VON GOOGLE BEREITGESTELLT WERDEN. GOOGLE LEHNT JEDE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG IN BEZUG AUF DIE ÜBERSETZUNGEN AB, EINSCHLIESSLICH JEGLICHER GEWÄHRLEISTUNG DER GENAUIGKEIT, ZUVERLÄSSIGKEIT UND JEGLICHER STILLSCHWEIGENDEN GEWÄHRLEISTUNG DER MARKTGÄNGIGKEIT, DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN DRITTER.

CE SERVICE PEUT CONTENIR DES TRADUCTIONS FOURNIES PAR GOOGLE. GOOGLE EXCLUT TOUTE GARANTIE RELATIVE AUX TRADUCTIONS, EXPRESSE OU IMPLICITE, Y COMPRIS TOUTE GARANTIE D'EXACTITUDE, DE FIABILITÉ ET TOUTE GARANTIE IMPLICITE DE QUALITÉ MARCHANDE, D'ADÉQUATION À UN USAGE PARTICULIER ET D'ABSENCE DE CONTREFAÇON.

ESTE SERVICIO PUEDE CONTENER TRADUCCIONES CON TECNOLOGÍA DE GOOGLE. GOOGLE RENUNCIA A TODAS LAS GARANTÍAS RELACIONADAS CON LAS TRADUCCIONES, TANTO IMPLÍCITAS COMO EXPLÍCITAS, INCLUIDAS LAS GARANTÍAS DE EXACTITUD, FIABILIDAD Y OTRAS GARANTÍAS IMPLÍCITAS DE COMERCIABILIDAD, IDONEIDAD PARA UN FIN EN PARTICULAR Y AUSENCIA DE INFRACCIÓN DE DERECHOS.

本服务可能包含由 Google 提供技术支持的翻译。Google 对这些翻译内容不做任何明示或暗示的保证,包括对准确性、可靠性的任何保证以及对适销性、特定用途的适用性和非侵权性的任何暗示保证。

このサービスには、Google が提供する翻訳が含まれている可能性があります。Google は翻訳について、明示的か黙示的かを問わず、精度と信頼性に関するあらゆる保証、および商品性、特定目的への適合性、第三者の権利を侵害しないことに関するあらゆる黙示的保証を含め、一切保証しません。

ESTE SERVIÇO PODE CONTER TRADUÇÕES FORNECIDAS PELO GOOGLE. O GOOGLE SE EXIME DE TODAS AS GARANTIAS RELACIONADAS COM AS TRADUÇÕES, EXPRESSAS OU IMPLÍCITAS, INCLUINDO QUALQUER GARANTIA DE PRECISÃO, CONFIABILIDADE E QUALQUER GARANTIA IMPLÍCITA DE COMERCIALIZAÇÃO, ADEQUAÇÃO A UM PROPÓSITO ESPECÍFICO E NÃO INFRAÇÃO.