Oct 14, 2019  By adding a StoreFront account to Citrix Workspace app for Mac or configuring Citrix Workspace app for Mac to point to a StoreFront site, you can configure self-service mode, which enables your users to subscribe to applications through Citrix Workspace app for Mac. This enhanced user experience is similar to that of a mobile app store. If Workspace is installed, this is the process to uninstall Citrix Workspace for MAC:.Of Note. Do not install the app from the APP Store, this causes apps to automatically update.

The new Citrix Workspace app (formerly known as Citrix Receiver) provides a great user experience — a secure, contextual, and unified workspace — on any device. It gives you instant access to all your SaaS and web apps, your virtual apps, files, and desktops from an easy-to-use, all-in-one interface powered by Citrix Workspace services.

Information

Applicable Products

Citrix Workspace App 1904 for Windows and later. Also for Citrix Workspace App 1910 and later.
Note:
Citrix has deprecated weak cryptography across the board. If the configurations on the backend is not updated to support one of the 3 supported strong cipher suites, you will not be able to connect.
At least one of these is required:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)


Objective

This feature is an important change to the secure communication protocol. Cipher suites with the prefix TLS_RSA_ do not offer forward secrecy and are considered weak. These cipher suites were deprecated in Citrix Receiver version 13.10 with an option for backward compatibility.

In this release, the TLS_RSA_ cipher suites have been removed entirely. Instead, this release supports the advanced TLS_ECDHE_RSA_ cipher suites. If your environment is not configured with the TLS_ECDHE_RSA_ cipher suites, client launches are not supported due to weak ciphers.

This document aims to detail the changes to the cipher suites.

What’s New?

The following advanced cipher suites are supported:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

In earlier releases, the GPO configuration that was available under the below Computer Configuration node which allowed to enable the deprecated cipher suites has been removed now.

Administrative Template > Citrix Component > Citrix Workspace > Network Routing > Deprecated Cipher Suites
The following cipher matrix provides the ciphers supported by the latest SSL SDK:

Expected failure scenarios and edge cases

Mac
  • TCP

    • OPEN mode: Session launch is not supported when the client is configured for GOV and the VDA for COM. This happens because a common cipher suite is absent.

    • FIPS/NIST(SP800-52) compliance mode: Session launch is not supported when the VDA is configured for COM the client for COM, GOV, or ANY, or the other way around. This happens because a common cipher suite is absent.
  • DTLS v1.0 supports the following cipher suites:
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • DTLS v1.2 supports the following cipher suites:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • Therefore, session launch is not supported from a client configured for GOV to a VDA configured for COM. Also, fallback to TCP is not supported. When you use DTLS v1.0, session launch is not supported for clients configured for GOV because a common cipher suite is absent.
.
  • DTLS does not support FIPS/NIST compliance modes.
  • DTLS v1.2 is supported by Windows 10 (1607 and later) and Windows 2016 VDAs. For more information, see Knowledge Center article https://support.citrix.com/article/CTX230010.
  • DTLS v1.2 is not supported by Citrix Gateway. This scenario can be tested only with DTLS v1.0. For Citrix Gateway ciphers troubleshooting, see Knowledge Center article https://support.citrix.com/article/CTX235509.

The following matrices provide details of internal and external network connections:Citrix Workspace For Mac
  • Matrix for internal network connections (Citrix Gateway scenario)

  • Matrix for external network connections (Citrix Gateway scenario)

Note: When NetScaler Gateway is used

  1. For the EDT to work, NetScaler Gateway must be of version 12.1 or higher since the older versions doesn't support ECDHE cipher suites in DTLS mode.

  2. NetScaler Gateway doesn't support DTLS 1.2 so TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 are not supported and NetScaler Gateway must be configured to use TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA for it to work in DTLS 1.0

Applicable Products

  • Citrix Workspace
  • Receiver for Mac

Symptoms or Error

Citrix Workspace App and Citrix Receiver cannot launch applications automatically with Safari version 12.


Solution

Citrix Workspace Download For Windows 10

SERVER SIDE CHANGES
For StoreFront deployments, modify web.config under the Receiver for Web (RfWeb) site (typically C:inetpubwwwrootCitrixStoreWeb) to activate the Citrix Receiver Launcher / Citrix Workspace App Launcher for Safari 12 and later.

1. Open web.config using your preferred text editor and locate the line : <protocolHandler enabled='true' platforms='(Macintosh Windows NT).*((Firefox/((5[2-9] [6789][0-9]) ddd)) (Chrome/((4[2-9] [56789][0-9]) ddd)))' skipDoubleHopCheckWhenDisabled='false' />
2. The value of the platforms attribute is a regular expression specifying the browsers that Citrix Receiver Launcher is used for client detection and HDX launches. Change the regular expression to:

'(Macintosh Windows NT).*((Firefox/((5[2-9] [6789][0-9]) ddd)) (Chrome/((4[2-9] [56789][0-9]) ddd))) Macintosh.*Version/(1[2-9] [2-9][0-9]).*Safari/'

3. This will add Safari 12 and later to the list of browsers that Citrix Receiver Launcher will be used.
CLIENT SIDE CHANGES

On a Mac Station running Safari 12 perform the following actions:

  • Launch Safari 12 Browser and select Safari from the Menu on top > go to Preferences and select it

  • In preferences > Select Advanced tab > check Checkbox 'Show Develop Menu in Menu Bar' (Located at the very bottom). This option will enable the Develop tab in Safari top menu

  • Close the preferences window by selecting the red circle on the top left corner
  • Go back to Safari Menu and select > Clear History

  • Then go to Safari Menu and select the Develop Tab > Empty Caches

  • Close All safari windows after this. Make sure no Safari Windows are left open.
  • Test using Safari 12 and browse to Storefront’s receiver for website URL.

CLIENT DETECTION BEHAVIOR ON SAFARI 12
  • Go to https://StorefrontURL/Citrix/StoreNameWeb
  • The first thing a user should see when testing going internally to Storefront’s Website is to detect Receiver/Workspace App. Please select “Detect Receiver/Workspace App”. Image below shows test using receiver.

  • The following window prompt will appear “Do you want to allow this page to open Citrix Receiver Launcher?' please select “Allow”

  • Once “Allow” is selected, no Manual interaction will be required by user. Site will automatically load to go to either “Logon Page when using explicit authentication” or it would “take you to your Apps enumeration” if SSO (Single Sign On) is enabled.
  • Once user is logged in, when trying to launch an application or desktop the following prompt will show for user to select 'Allow'

Citrix Workspace For Mac



ADDITIONAL CONSIDERATIONS
  • When users are connecting internally and Storefront server is using an Internal SSL cert. Mac stations must have the CA Root and or Intermediate Certificate added to their Keychain Store in the Mac. Additionally, SSL certIFICATE must be set to Always trust / Allow. See example below:

Note: You should clear browser cache and history before the changes mentioned in this article can take effect.

Problem Cause

Additional Resources

Citrix Workspace For Mac 1812

You can now use the Application probing feature to proactively monitor the health of applications enabling you to fix issues before the user actually experiences them. For more information refer to Citrix Documentation - Application probing.

Citrix Blogs - NPAPI support is being removed from Safari 12

Disclaimer

Uninstall Citrix Workspace For Mac

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.
Coments are closed
Scroll to top