Set up the Citrix SSO app in an Intune Android Enterprise environment
The topic captures details about deploying and configuring the Citrix SSO app via Microsoft Intune. This document assumes that Intune is already configured for Android Enterprise support and device enrollment is already done.
Prerequisites
- Intune is configured for Android Enterprise Support
- Device enrollment is complete
To set up the Citrix SSO app in an Intune Android Enterprise environment
- Add Citrix SSO app as a managed app
- Configure managed app policy for Citrix SSO app
Add Citrix SSO app as a managed app
-
Log in to your Azure portal.
-
Click Intune on the left navigation blade.
-
Click Client Apps in the Microsoft Intune blade and then click Apps in the Client apps blade.
-
Click +Add link in the top right menu options. The Add app configuration blade appears.
-
Select Managed Google Play for the app type.
This adds Manage Google Play search and approve blade if you have configured Android Enterprise.
-
Search for the Citrix SSO app and select it from the list of apps.
Note: If Citrix SSO does not appear in the list, it means that the app is not available in your country.
-
Click APPROVE to approve Citrix SSO for deployment through Managed Google Play store.
The permissions that are required by the Citrix SSO app are listed.
-
Click APPROVE to approve the app for deployment.
-
Click Sync to sync this selection with Intune.
Citrix SSO app is added to the Client apps list. You might have to search for the Citrix SSO app if there are many apps added.
-
Click Citrix SSO app to open the app details blade.
-
Click Assignments in the details blade. Citrix SSO - Assignments blade appears.
-
Click Add group to assign the user groups to which you want to give permissions to install the Citrix SSO app, and click Save.
-
Close the Citrix SSO app details blade.
Citrix SSO app is added and enabled for deployment to your users.
Configure managed app policy for Citrix SSO app
After the Citrix SSO app is added, you must create a managed configuration policy for the Citrix SSO app so that the VPN profile can be deployed to the Citrix SSO app on the device.
-
Open Intune blade in your Azure portal.
-
Open Client Apps blade from the Intune blade.
-
Select App configuration policies item from the Client apps blade and click Add to open the Add configuration policy blade.
-
Enter a name for the policy and add a description for it.
-
In Device enrollment type, select Managed devices.
-
In Platform, select Android.
This adds another configuration option for the associated app.
-
Click Associated app and select Citrix SSO app.
You might have to search for it if you have many apps.
-
Click OK. A configuration settings option is added in the Add configuration policy blade.
-
Click Configuration settings.
A blade to configure the Citrix SSO app appears.
-
In Configuration Settings, select either Use configuration designeror Enter JSON data to configure the Citrix SSO app.
Note:
For simple VPN configurations it is recommended to use the configuration designer.
VPN configuration using user configuration designer
-
In Configuration Settings, select Use configuration designer and Click Add.
You are presented with a key value entry screen for configuring various properties that are supported by the Citrix SSO app. At a minimum you must configure the Server Address and VPN Profile Name properties. You can hover over the DESCRIPTION section to get more information about each property.
-
For example, select VPN Profile Name and Server Address(*) properties and click OK.
This adds the properties to the configuration designer. You can configure the following properties.
-
VPN Profile Name. Type a name for the VPN profile. If you are creating more than one VPN profile, use a unique name for each. If you do not provide a name, the address you enter in the Server Address field is used as the VPN profile name.
-
Server Address(*). Type your Citrix Gateway base FQDN. If your Citrix Gateway port is not 443, also type your port. Use URL format. For example,
https://vpn.mycompany.com:8443. -
Username (optional). Enter the user name that the end users use to authenticate to the Citrix Gateway. You can use the Intune config value token for this field if the gateway is configured to use it (see config value tokens.) If you do not provide a user name, users are prompted to provide a user name when they connect to Citrix Gateway.
-
Password (optional). Enter the password that end users use to authenticate to the Citrix Gateway. If you do not provide a password, users are prompted to provide a password when they connect to Citrix Gateway.
-
Certificate Alias (optional). Provide a certificate alias in the Android KeyStore to be used for client certificate authentication. This certificate is pre-selected for users if you are using certificate-based authentication.
-
ServerCertificatePins (optional). JSON object describing certificate pins used for Citrix Gateway. Example value:
{"hash-alg" : "sha256", "pinset" : ["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="]}. For details, see Citrix Gateway certificate pinning with Android Citrix SSO. -
Per-App VPN Type (optional). If you are using per-app VPN to restrict which apps use this VPN, you can configure this setting.
- If you select Allow, network traffic for app package names listed in the PerAppVPN app list is routed through the VPN. The network traffic of all other apps is routed outside the VPN.
- If you select Disallow, network traffic for app package names listed in the PerAppVPN app list are routed outside the VPN. The network traffic of all other apps is routed through the VPN. Default is Allow.
- PerAppVPN app list. A list of apps whose traffic is allowed or disallowed on the VPN, depending on the value of Per-App VPN Type. List the app package names separated by commas or semicolons. App package names are case sensitive and must appear on this list exactly as they appear in the Google Play store. This list is optional. Keep this list empty for provisioning device-wide VPN.
-
Default VPN profile. The VPN profile name used when Always On VPN is configured for the Citrix SSO app. If this field is empty, the main profile is used for connection. If only one profile is configured, it is marked as the default VPN profile.
Note:
-
For making Citrix SSO app as Always On VPN app in Intune, use VPN provider as custom and com.citrix.CitrixVPN as app package name.
-
Only certificate-based client authentication is supported for Always On VPN by the Citrix SSO app.
-
Admins must select Client Authentication and set Client Certificate to Mandatory in the SSL Profile or SSL Properties on the Citrix Gateway for the SSO app to work as intended.
-
Disable User Profiles
- If you set this value to true, users cannot add new VPN profiles on their devices.
- If you set this value to false, users can add their own VPNs on their devices.
Default value is false.
-
Block Untrusted Servers
- Set this value to false when using a self-signed certificate for Citrix Gateway or when the root certificate for the CA issuing the Citrix Gateway certificate is not in the system CA list.
- Set this value to true to enable the Android operating system validate the Citrix Gateway certificate. If the validation fails, the connection is not allowed.
Default value is true.
-
-
For the Server Address(*) property, enter your VPN gateway base URL (for example,
https://vpn.mycompany.com). -
For VPN Profile Name, enter a name that is visible to the end user in the Citrix SSO app’s main screen (for example, My Corporate VPN).
-
You can add and configure other properties as appropriate to your Citrix Gateway deployment. Click OK when you are done with configuration.
-
Click Permissions section. In this section, you can grant the permissions required by the Citrix SSO app.
-
If you are using the Intune NAC check, the Citrix SSO app requires that you grant Phone state (read) permission. Click Add button to open permissions blade. Currently, Intune displays a significant list of permissions that are available to all the apps.
-
If you are using Intune NAC check, select Phone state (read) permission and click OK. This adds it to the list of permissions for the app. Select either Prompt or Auto grant so that the Intune NAC check can work and click OK.
-
-
Click Add at the bottom of the App configuration policy blade to save the managed configuration for the Citrix SSO app.
-
Click Assignments in the App configuration policy blade to open the Assignments blade.
-
Select the user groups for which you want this Citrix SSO configuration to be delivered and applied.
VPN configuration by entering JSON data
-
In Configuration Settings, select Enter JSON data for configuring the Citrix SSO app.
-
Use the Download JSON template button to download a template that allows for providing more detailed/complex configuration for the Citrix SSO app. This template is a set of JSON key-value pairs to configure all the possible properties that the Citrix SSO app understands.
For a list of all the available properties that can be configured, see Available properties for configuring VPN profile in Citrix SSO app.
-
Once you have created a JSON configuration file, copy and paste its contents in the editing area. For example, the following is the JSON template for basic configuration created previously using the configuration designer option.
This completes the procedure for configuring and deploying VPN profiles for the Citrix SSO app in the Microsoft Intune Android Enterprise environment.
Important:
Certificate used for client certificate-based authentication is deployed using an Intune SCEP profile. The alias for this certificate must be configured in the Certificate Alias property of the managed configuration for the Citrix SSO app.
Available properties for configuring VPN profile in Citrix SSO app
| Configuration Key | JSON Field Name | Value Type | Description |
|---|---|---|---|
| VPN Profile Name | VPNProfileName | Text | Name of the VPN profile (if not set defaults to server address). |
| Server Address(*) | ServerAddress | URL | Base URL of the Citrix Gateway for the connection (https://host[:port]). This is a required field. |
Username (optional) |
Username | Text | User name used for authenticating with the Citrix Gateway (optional). |
| Password (optional) | Password | Text | Password of the user for authenticating with the Citrix Gateway (optional). |
| Certificate Alias (optional) | ClientCertAlias | Text | Alias of the client certificate installed in the Android credential store for use in certificate-based client authentication (optional). Certificate alias is a required field when using certificate-based authentication on Citrix Gateway. |
| Server Certificate Pins (optional) | ServerCertificatePins | JSON Text | Embedded JSON object describing certificate pins used for Citrix Gateway. Example value: {"hash-alg" : "sha256", "pinset" : ["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="]}. Make sure to escape this embedded JSON data when using the JSON configurator. |
| Per-App VPN Type (optional) | PerAppVPN_Allow_Disallow_Setting | Enum (Allow, Disallow) | Are the listed apps allowed (allow list) or disallowed (block list) to use the VPN tunnel. If set to Allow, only listed apps (in the PerAppVPN app list property) are allowed to tunnel through the VPN. If set to Disallow, all apps except the listed ones are allowed to tunnel through the VPN. If no apps are listed the all apps are allowed to tunnel through the VPN. |
| PerAppVPN app list | PerAppName_Appnames | Text | Comma (,) or semicolon (;) separated list of app package names for per-app VPN. The package names must be exactly the same as they appear in the Google Play store app listing page URL. Package names are case sensitive. |
| Default VPN profile | DefaultProfileName | Text | Name of the VPN profile to use when the system starts the VPN service. This setting is used for identifying the VPN profile to use when Always On VPN is configured on the device. |
| Disable User Profiles | DisableUserProfiles | Boolean | Property to allow or not allow the end users to manually create VPN profiles. Set this value to true to disable users from creating VPN profiles. Default value is false. |
| Block Untrusted Servers | BlockUntrustedServers | Boolean | Property to determine if the connection to untrusted gateways (for example, using self-signed certificates or when issuing CA is not trusted by the Android operating system) be blocked? Default value is true (block connections to untrusted gateways). |
| Custom Parameters (optional) | CustomParameters | List | List of custom parameters (optional) that are supported by Citrix SSO app. For details, see Custom Parameters. Check the Citrix Gateway product documentation for available options. |
| List of other VPN profiles | bundle_profiles | List | List of other VPN profiles. Most of the previously mentioned values for each profile are supported. For details, see Properties supported for each VPN in VPN Profile List. |
Custom Parameters
Each custom parameter must be defined using the following key-value names.
| Key | Value Type | Value |
|---|---|---|
| ParameterName | Text | Name of the custom parameter. |
| ParameterValue | Text | Value of the custom parameter. |
Properties supported for each VPN in VPN Profile List
Following properties are supported for each of the VPN profile when configuring multiple VPN profiles using the JSON template.
| Configuration Key | JSON Field Name | Value Type |
|---|---|---|
| VPN Profile Name | bundle_VPNProfileName | Text |
| Server Address(*) | bundle_ServerAddress | URL |
| User name | bundle_Username | Text |
| Password | bundle_Password | Text |
| Client Cert Alias | bundle_ClientCertAlias | Text |
| Server Certificate Pins | bundle_ServerCertificatePins | Text |
| Per-App VPN Type | bundle_PerAppVPN_Allow_Disallow_Setting | Enum (Allow, Disallow) |
| PerAppVPN app list | bundle_PerAppVPN_Appnames | Text |
| Custom Parameters | bundle_CustomParameters | List |
Set Citrix SSO app as Always On VPN provider in Intune
In the absence of an on-demand VPN support in an Android VPN subsystem, the Always On VPN can be used as an alternative to provide seamless VPN connectivity option along with client certificate authentication with the Citrix SSO app. The VPN is started by the operating system when it starts up or when the work profile is turned on.
For making the Citrix SSO app an Always On VPN app in Intune, you must use the following settings.
-
Choose the correct type of managed configuration to use (personally owned with work profile OR fully managed, dedicated, and corporate owned work profile).
-
Create a device configuration profile and select Device restrictions and then go to Connectivity section. Select enable for Always On VPN setting.
-
Choose Citrix SSO app as VPN client. If Citrix SSO is not available as an option, you can choose Custom as VPN Client and enter com.citrix.CitrixVPN in the Package ID field (Package ID field is case sensitive)
-
Leave other options as is. It is recommended not to enable Lockdown mode. When enabled, the device might lose complete network connectivity if VPN is not available.
-
In addition to these settings, you can also set Per-App VPN type and PerAppVPN app list in the App configuration policies page to enable per-app VPN for Android as described in the preceding sections.
Note:
Always On VPN is supported only with client certificate authentication in the Citrix SSO app.
References
Refer to the following topics for more details about setting up connectivity options in Intune.
Limitations
The following are the limitations for per-app VPN in Android Enterprise environment on Android 11+ devices due to package visibility restrictions introduced in Android 11:
- If an app that is part of the allowed/denied list is deployed to a device after the VPN session has started, the end user must restart the VPN session for the app to be able to route its traffic through the VPN session.
- If per-app VPN is used via an Always On VPN session, then after installing a new app on the device, the end user must restart the work profile or reboot the device for the app’s traffic to be routed via the VPN session.