Category Archives: CTA

What BCP Availability Strategy for Citrix DaaS? Service Continuity (SC) or Local Host Cache (LHC)

Consider this an evergreen article with *pro-active adds/moves/changes inclusive of errors/mistakes until I remove this statement.

Architectural Doodle
The diagram below provides a high level architectural difference between Local Host Cache (LHC) v Service Continuity (SC) and how you can weaponise Citrix Analytics for Performance to enable pro-active management of your workloads in a single hypersacler cloud or multi-cloud hyperscater strategy.

Visualising the Value of Change using a Force Field Analysis (FFA)
A FFA is a business methodology helping to visualise through a meaningful contextual analysis, why a business and or e.g technology decision for “change” is the right and relevant direction of travel. It helps by amplifying the understanding of ”the what the change is, the how, the what if and the why change” towards anew future desired state e.g buy a music title per song vs. a music subscription to rent the music over a period of time.

The example analysis below is a technology change decision shifting from Local Host Cache (LHC) current to Service Continuity (SC) future state – improving IT’s operational resiliency capability and capacity considering todays current climate and threat of digital warfare aligned to internal business priorities and or executive KPIs ranging from strict security compliance & governance, hybrid multi-cloud failover (between cloud hyperscalers) to becoming cloud first/native adopting aaS tooling where right and relevant e.g I/PaaS to help IT accelerate DEX at the required pace and execution agility.

This example analysis is representative of my personal field technologist landscape experience and backed by a robust and diverse pool of customers ranging in size and verticalisation. Remember you do not have to agree with my field experience the concept is to weaponise this business tool as a force for good change in organisations wanting change that is well meaningful and or to back and better understand cost v value driven business strategies during forces of change.

Score Hindering Forces Service Continuity (SC) Driving Forces Score
3 Traditional method doesn’t rely on cloud services Modern method to reduce and derisk operational outage 5
5 Strict Governance & Compliance requirements for on-premises workloads only – High security organisations e.g UK Gov entities e.g MoD/M6 Better employee affordance during outages with SC 5
5 Security requirement for on-premises remote access Gateway POP’s controlled by IT/Security to reduce attack surfaces by adversaries including derisking operational outages Cloud first Turn-Key Global v Regional POP Gateway as a Service Strategy 5
2 No support for Citrix Workspace Site Aggregation to On-Premises CVAD environment No technical implementation debit 5
2 ▓ Limitations of Service Continuity for Internet Browsers – use case 3rd parties VPN-Less access without installing CWa on supported endpoints No technical waste and debit – LHC management & monitoring 5
3 Citrix Receiver not supported – use case support for outdated thin clients Citrix Workspace app (CWa) aligned to employee affordance (EX strategy) – Business KPI 5
Alignment to Cloud first Time to Value strategy – Business KPI 5
No LHC BCP testing program to valid solution and verify sizing & scaling annualised changes 5

20

40

▓ Updated 07/03/2022 – Several SC limitations e.g Internet Browsers as a barrier to adoption have now been address learn at – https://www.citrix.com/blogs/2022/03/01/service-continuity-in-citrix-cloud-a-recipe-for-resiliency/.

The outcome of this analysis reveals that while a number of key inner or outer loop stakeholders maybe opposed to the technology change strategy, the FFA outcome is well clear that the driving forces for change is in favour of Service Continuity (SC). You should make every attempt to remediate against the identified hindering forces for change which could be the simple result of:

1. The decision maker(s) perception through experience wasn’t positive.
2. Company culture is adverse to agile change.
3. IT Operations is required to retain more “control” when consuming cloud based I/PaaS services to better derisk outages.
3. Cloud security policies and frameworks have not been approved to enable new types of technologies like SC to be on-boarded and accepted by Enterprise/Cloud/Security Architects.
4. Accept the current business risks are they are and re-evaluate at a future time as the current value out weighs the micro hindering forces.

Understanding Service Continuity (SC)
This a modern way to reduce and derisk availability access to (virtual) applications and desktop during an outage provided the employees endpoint has the capability to access Citrix workloads within your hybrid and or hybrid multi-cloud resource location(s).

Cost v Value Driven Strategies
The following are generic but meaningful examples of the cost and value driven strategies why adopting Service Continuity (SC) to underpin your BCP/DR strategy is the right strategy.

  1. Modern field leading practise or method to reduce and derisk PaaS outages.
  2. Time to value is immediate – its a turn-key out of the box SaaS style experience with no configuration nor IT skills required, no technical nor technology debit incurred.
  3. Leverages Citrix Cloud global turn-key Gateway Service fabric – its service availability uptime is healthy as it operates between two hyperscaler public cloud providers, details accessible using the “Cloud Assurance” micro site on the Citrix Trust Centre at – https://www.citrix.com/about/trust-center/cloud-assurance.html then filtering to the Gateway service + Gateway POPs.
  4. No requirement for bi-annual v annual stress testing and compliance checks for BCP/DR testing. Typically this would involve up to 2-3 days (or more) for enterprise organisations to stress test each site/resource location excluding a further 5 full  business days of planning activities, virtual meetings, whiteboards, approvals e.t.c with multiple stakeholders prior to testing – its an expensive exercise.
  5. No pro-active requirement to manage and monitor a StoreFront pair/cluster configuration, SSL/TLS certificate management, LHC cache integrity at each site/resource location which significantly reduces overhead of monitoring and associated OS licensing and VM operating costs.
  6. The employee affordance (experience) is far superior vs Local Host Cache as a strategy – Icons are greyed out amplifying to the employee that his/her (virtual) application or desktop is unavailable while anything coloured is still accessible and available – this design thinking affordance feature is often overlooked by IT Professionals but evaluation through the lens of a employee e.g PA amplify what is and what is not available.
  7. Supports modern authentication however there are limitations that will occur when SC is evoked see – https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#requirements-and-limitations.

Service Continuity Support Matrix

Platform/Feature/Service Learn More Supported Notes
Citrix Workspace for Web (Chrome/Edge) https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#service-continuity-in-browser ✓* 1.*Requires CWa for Mac 2112 or Windows 2109
2.Kiosk usage is not supported e.g Hotdesking
3.Support internet browsers Google Chrome and Microsoft Edge with plug-in’s installed.
Mac https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/whats-new.html#2112 ✓ CWa 2106+
Windows https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/about.html#21121 ✓ CWa 2106+
Andriod https://docs.citrix.com/en-us/citrix-workspace-app-for-android/whats-new.html#whats-new-in-2220 ✓ CWa 22.2.0
Linux https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/whats-new.html#2109 ✓ CWa 2106 (GA 2109)
iOS https://docs.citrix.com/en-us/citrix-workspace-app-for-ios/whats-new.html#whats-new-in-2225 ✓ CWa 22.2.5 Tech Preview 03/2022
Security & Connectivity Limitations:
EPA Scans
Enlightened Data Transport (EDT) – During outages
Citrix Workspace IdP (Authentication) https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/service-continuity.html#requirements-and-limitations SAML 2.0
AD
AD plus Token
Azure AD
OKTA
Citrix Gateway (primary user claim must be from AD)
Authentication limitations:
SSO for FAS
SSO to VDA
Local mapped accounts
Only AD Domain joined VDAs are supported as of 03/2022

Technical Deep Dive
One of my fellow Citrix Technology Advocates (CTA) and current fellow Citrites Gavin Connolly – https://citrixie.wordpress.com/author/technologistgav/ has written a brilliant in-depth blog post on how it works, how to configure + test it and the employee experience “Affordance” – https://citrixie.wordpress.com/2020/12/22/service-continuity-for-virtual-apps-and-desktop-service/ – Service Continuity for Virtual Apps and Desktop Service.

Understanding Local Host Cache (LHC)
This is the traditional method while equally robust it requires a fair bit of feeding and watering to ensure cache accuracy and resiliency at scale when required to derisk PaaS or a hyperscaler region outage.

Cost v Value Driven Strategies
The following are generic but meaningful examples of the cost and value driven strategies why retaining your current strategy of using Local Host Cache (LHC) which underpins your BCP/DR strategy is the right strategy under the current strict compliance and or risk requirements.

  1. Strict regulatory compliance to maintain some form of “control” when using cloud services.
  2. Industry Specific by Certification and or Government regulation requirements that prohibit cloud based services from being consumed and where an on-premises IT strategy is the only viable option on the table.
  3. Greater control through a co-shared IT responsible operating model e.g brokering workloads using the vendors PaaS but owning the outage risk.
  4. Profound value based platform reliability and stability for bad app farms delivering mission cirtical line of business virtual apps that cant be moved to modern OSes and if become unavaiable may cause significant fiancial harm e.g Utilities
  5. Long term service release strategy alignment objectives

Understanding Citrix Analytics Service (CAS) for Performance
Coming…

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Accelerate migrations to the CVAD Service

A question I’m often asked in the field is how do I get to the Citrix Virtual Apps and Desktops (CVAD) Service at pace or more importantly on my own terms?

The answer can be simple and complex at the same time the previously consultant in me says now says “well it depends”. The challenge with the tag line of “well it depends” often can lead to assumptions like migrating from an on-premises CVAD environment to the CVAD Service is a long and lengthy process that’s cumbersome, however today it couldn’t be further from the truth.

I have worked with many a customer that rotated to the CVAD Service in less than a month to keep either business operations continuing at a time when a crisis hit or a number of impending mergers where occurring and they needed an agile and flexible IT delivery strategy which Citrix Cloud platform is well placed to facilitate and orchestrate bringing together many different workload types in any cloud type – private, public, hybrid and most importantly hybrid multi-cloud environments.

How did these customers achieve this feat? Before I get there remember there is a lot more that needs to be consider with a traditional CVAD deployment (install, upgrade etc), requiring multiple teams to be engaged simultaneously as one (a huge feat in itself which rarely works well as a well oiled machine) from IT to InfoSec, Network and Security teams e.t.c, when you pivot to the Citrix Cloud platform you’re moving to a combination of SaaS (Gateway Service) and PaaS (CVAD Service) and equally removing a fair amount of unnecessary technical and culture debit + resistance. The lost time and productivity due to culture resistance to changing operating models and moving to the CVAD Service cannot be measured but is by far the biggest barrier in my personal field perspective. 

So how can you narrow the economic’s of time of getting to the CVAD Service? Citrix built and released an incredibly powerful tool called the “Automated Configuration Tool” or ACT for short, which allows for the exfiltration of your CVAD operational business logic which can be exported then evaluated and imported into your CVAD Service tenant in the Citrix Cloud by your chosen region e.g https://eu.cloud.com/. Light Bulb moment!

I previously wrote this article in http://axendatacentre.com/blog/2020/11/07/citrix-virtual-apps-desktops-or-cvad-service-migration-strategies/ – “Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies” and the above and below expands upon this brief article from 2020, due to personal circumstances I stepped away largely from many communities and activities.

There are three migration strategy’s to moving to the CVAD Service from an on-premises CVAD environment:

Start A-Fresh
A complete re-evaluation of policies – employee experience vs. security, provisioning strategy. This strategy is wise if you’re well unfamiliar with new enhancements in a multi-dimensional way and been honest with that yourself your CVAD on-premises environment has not been well looked after e.g feed and watered. 

Evaluate & Pivot
Migrate only key business operational IT logic requirements e.g. policies – employee experience vs. security and rebuild Machine Catalogs based upon you’re net new provisioning strategy e.g. MCS from PVS to support hybrid multi-cloud portable workloads. This strategy implies that you keep your on-premises CVAD environment feed and watered often and updated at minimum once every 12 months.

Automate & Migrate
Ingest the entire business operational IT logic from Machine Catalogs, Delivery Groups, Policies and Zones into the CVAD Service from your on-premises e.g. CVAD 1912 Long Term Service Release (LTSR) environment or preferred Current Release (CR) provided that this environment has been well looked after proactively. You will still require a brief evaluate phase during the migration as part of good leading practise and hygiene. 

To get started with how-to use and get the ACT tool checkout this useful Citrix TechZone PoC guide/article – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html.

Finally the simplest and most powerful strategy is to not move any business operational IT logic at all to the CVAD Service initially but you leverage the power of “Affordance” or the appearance of providing the employee with the Citrix Workspace experience vs. StoreFront but technically nothing has changed, all that you are doing is changing the access the lens/portal to be Citrix Workspace. This strategy is fundamentally critical in enabling IT to pivot to the CVAD Service on there own terms as once the employee culture or shock has worn off with this new looking interface IT can in the background begin to use things like the ACT to migrate to the CVAD Service on there own terms and then equally shift there existing ICA proxy configurations to a turn-key SaaS operating model by unlocking the Gateway Service in the Citrix Cloud for the CVAD Service and many others Citrix Cloud Services e.g Secure Workspace Access, the Gateway Service in the Citrix Cloud platform is the default how-to access CVAD workloads, but if you still prefer an on-premises Citrix (ADC) Gateway V/A it’s a case of toggling off the Gateway Service. Customers choose to keep there Citrix ADC V/A for many different reasons and still highly relevant use cases and business or security and governance requirements.

To learn more about the “Site Aggregation” check out – https://docs.citrix.com/en-us/citrix-workspace/add-on-premises-site.html to get stated and to begin your pivot to CVAD Service on your own terms.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Citrix Virtual Apps & Desktops or CVAD Service Migration Strategies

The path to operating from the Citrix Cloud Platform for Citrix Virtual Apps and Desktops often can appear like your need to climb to the summit of K2, this is purely because for IT its foreseen as another key yet, rapid IT Transformation project to solve a multitude of business and business IT challenges (its different organisation by organisation). I’ve therefore put together a simple blended digital doodle on this very topic highlighting some key learnings, leading practises from the field and my own thoughts and thinking on this very topic.

If you want to go deep or even get started on your own migration project today, then i strongly recommend that you read and review the “Proof of Concept: Automated Configuration Tool” available at – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/citrix-automated-configuration.html, which covers off a step by step guide from installation to migration of on-premises CVAD configurations to the CVAD Service operating and run in the Citrix Cloud Platform – https://citrix.cloud.com. The following series of TechZone articles list at – https://docs.citrix.com/en-us/tech-zone.html#citrix-virtual-apps-and-desktops will also add value in your pivot to the CVAD Service.

If you have the right subscription access at https://training.citrix.com, then you can also complete the following on-demand eLearning course “eCWS-2014 | Automated Configuration Tool for Virtual Apps and Desktops” – https://training.citrix.com/elearning/coursequests/1/quest/184, which took me around 45 minutes to complete.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Building an IT Employee Experience Scorecard

Consider this an evergreen post as of 22/09/2020

Introduction
I smile consistently these days hearing how organisations are keeping the UK economic moving forward, pivoting day 1 of the UK COVID-19 lockdown to full-time frictionless secure remote flexible working styles with minimal IT effort + friction powered by Citrix technologies.

I hear many unconsidered benefits from my customers, examples include keeping businesses operating helping their customers and supporting them during the height of the lock down to leap frogging competitors gaining significant market share through to winning new business because operationally they where available and ready with a Citrix powered securely centralised hybrid multi-cloud delivery strategy, when backed with a robust and annually tested Business Continuity Plan (BCP) set them up for instance successful shifting from day one of the UK COVID-19 lockdown to full-time work from home without any major hiccups.

For organisations that weren’t fully Citrix and had a hybrid strategy achieved full work from home swiftly swell using one or more of the following strategies:

1. Many existing hybrid Citrix customers scaled up licensing and re-framed physical workstations sat in the office through Citrix Workspace app to employees now sat at home using a browser on a personal device at home. To the employee everything is where it should be within there virtual desktop, for many this has now fundamentally changed perceptions of why they need to sat in an office for 5 working days in a post COVID-19 non-lockdown world.
2. Scaling up CVAD usage by optimising existing workloads or unlocking dark capacity turned off and deallocated ready within the data centre wherever they choose that to be.
3. The most popular one was to extend into one or multiple public clouds (AWS, Azure) to supporting elastic Citrix Virtual Apps & Desktops (CVAD) workloads whilst remaining in control of public cloud cost economics utilising Citrix AutoScale – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service/manage-deployment/autoscale.html which is part of the CVAD Service.

Finally organisations shifted to focusing on strengthening security within 1-2 weeks, implementing contextual device security powered by Citrix Smart Control and Smart Access technologies beyond IT non-managed devices, as not every employee could take a device home, they didn’t have a device they could use or they just didn’t have the physical space for it at home as you just don’t know your employees WFH requirements, needs and including @home personal circumstances behind closed doors.

In these many organisations hearing all these great stories I noticed a common theme reoccurring in lock down months 1-2. I have a percentage of employees and its all abeit random across the entire organisation encountering good vs. fair vs. poor experiences. Due to the random nature pin pointing the issue was a huge challenge as by the time IT investigated the problem it was largely self-resolved if by magic? My response have you heard about and or deployed and are running Citrix Application Delivery Management (ADM)? A resounding NO 95% of the time. The below diagram 1 visualises the traffic flow of where I am vs. where my delivered Citrix Virtual Desktop is run out of, it likewise can visualise to IT the overhaul traffic, load demand, security & infrastructure health status ref diagram 2.

Diagram 1

Not visualising the employees “Workspace” traffic flow, is where the value of Citrix and ANY Workspace solution is LOST in IT Service delivery. Citrix Application Delivery Management (ADM) is a key enabler in helping remediate employee experience issues, whilst providing a crucial IT Employee Experience Scorecard.” Lyndon-Jon Martin June 2020

The Business IT Value of Citrix ADM
A modern flexible platform with two unique halves much like our human brains with left vs. right hemispheres connected by a nervous system, however in this case ADM has analytical vs. management hemispheres providing fleet management with different roles vs. function; employee, security & infrastructure insights supported by a hybrid multi-cloud architectural strategy enabling less IT Ops friction and complexity on a daily basis. ADM’s centralised management + sense architecture provide simple and or advanced operational experience scorecards for auditors (PCI/DSS/ISO27001 with RBAC for read-only access), security + network teams, IT and Citrix System Administrators alike from a single framed lens who’s nervous system is connected to a hybrid multi-cloud fabric providing unconsidered insights and visibility into capacity, strengthened security posture through monitoring change control and config drifts incl automated fleet management which can be executed across multiple instances in ANY cloud simultaneously or on your own terms. ADM gives IT back the right level of “Control” enabling the less friction shifting workloads with true licensing flexibility + agility to the most commercially attractive vs. the most innovate cloud platform which suites IT and their business demands.

Diagram 2

Having had the privilege of working with world class engineers in the past helping a single customer to process a £1 million pounds per minute through a payment gateway beyond typical web, app traffic of a front door of there website. I learnt that you always require something that you as the MSP or your customer can “Control” in an ANY Cloud + Services architecture for Business Continuity Planning (BCP) and sound IT Operational excellence so you can make better decisions at pace from more accurate data insights visualised. Placing your “Eggs” aka IT Business platform into a single supplier framework even the most trusted IaaS provider and enforcing that your preferred IaaS region is properly fault tolerant and highly-available is equally expensive in cost and complexity much like on-premises, do not be fooled. The IT Complexity Index increases significantly when consuming for example IaaS native site recovery services to enable near to real-time failover in another region when your primary region experience’s an (planned) outage or degraded performance, these services help to keep-a-live those existing “Sticky” connections which will eventually complete a transaction of some kind e.g credit card donation.

I’m all for public cloud in fact two operating styles “Native” vs. “Managed” Public Clouds strategies. I’ve ran my personal lab in AWS EC2 since 2016, easily amortised £1000 over these past 4 years with plenty of cashflow free. Really? How? Having a strong background + experience in the MSP world on the edge of the City of London and working with “Managed” Public Clouds platform I began to respect + understand how all IaaS providers operate inclusive of the full lifecycle management of workloads + the data centre platform itself which is to not leave everything on like you do at home or in a traditional managed colocation data centre. In a native vs. managed IaaS world you’ll turn off and deallocate capacity if you don’t require it and scale it up as you equally require it with little to no friction. I’ve digressed enough back to the IT Employees Experience Scorecard.

A number of my customers have overcome that randomness or pockets of employees complaining about a poor experience post deploying Citrix ADM as the issue can now be identified and remediated pretty efficiently. The solution is simple, deploy and run Citrix ADM for up to a week continuing as is, no changes and then run a report similar to the above and in parallel visualise all those support cases from your service desk platform and marry up employee names and you’ll quickly notice a pattern forming between employees with poor experiences vs. support cases + the number of them.

I suggested to organisations survey those employees and ask them a few simple questions the best ones “Who is your home broadband provider?” and the second “How many devices are connected in the house to the internet and number of people?”. The first question revealed what I expected its the employees consumer ISP and the suggested remediation could well be provide them a “stipend” exclusively for mobile data onto personal contracts or ship them a 4G mobile hub/dongle to use instead and the problem vanishes over night almost every time and video conferencing platforms perform better as a net result equating to happier employees with a better experience.

The second question is about understanding what is happening within the home and as a result tweak or deploy a new HDX policy which again almost every time the employee experience was significantly improved. An example is switching out “Thinwire” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/graphics/thinwire.html for “EDT” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-overview/hdx/adaptive-transport.html or visa versa. You can Optimise the “EDT” HDX protocol bandwidth over high latency connections – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/technical-overview/hdx/bandwidth-connections.html as its roots are entrenched from the “Framehawk” protocol which was originally engineered from the ground up to deliver a better experience with macro rising increases of spectral interference and multipath propagation, you can learn more about that by reading this article – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/graphics/framehawk.html. An important note you should be actively using the “EDT” protocol with or beyond 1912 LTSR if you want something like “Framehawk“.

Getting Started with Citrix Application Delivery Management (ADM)
It can be consumed as a Citrix Cloud Service – https://docs.citrix.com/en-us/citrix-application-delivery-management-service.html or you can deploy a customer owned and operated platform – https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13.html.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Azure AD SAML Sign-in with Virtual Smartcard to Citrix Virtual Apps & Desktops

Consider this an evergreen post as of 10/06/2020

Introduction
The purpose of this blog post to aim for a consistent modern authentication experience for employees when consuming Citrix Virtual Apps & Desktops (CVAD) + CVAD Service regardless of where the (CVAD) workloads are running, either in *Azure, *AWS, *GCP or *On-Premises. The primary priority is that the employees identity is owned and managed by a cloud identity platform e.g Azure Active Directory (AAD) and the employees identity within each resource location* for CVAD usage maps to AD shadow accounts. These AD shadow accounts represent the employee as a UPN e.g human.name@domain, with a RANDOM long complex password that the employee doesn’t need to ever know and all IT is required to do beyond creating a AD shadow account is then assign the right vs. relevant security privileges and access to CVAD including Policies meeting local, geo of industry compliance and governance while maintaining a great employee experience.

The second priority is that the employees device can frictionlessly access CVAD resources using either a Forward Proxy, SD-WAN Overlay Network or ICA Proxy. I do recognise that many organisations are still required to make use of a VPN style strategy at the current moment and therefore this solution can also work for those devices as well repurposing the existing Citrix Gateway to also support a Full VPN beyond ICA Proxy or you can use other well established and trusted VPN solution providers.

Leveraging a Bring Your Own “either Enterprise vs. Personal” Identity (ByoI) is a concept I ponded way back in 2017 and now feels like the right time to pick that up concept again during the current Workplace transformation happening all around the world due to world wide COVID-19 pandemic. Using a ByoI strategy as high level vision you can efficiently deploy CVAD to any *Azure, *AWS, *GCP region or *On-Premises with less friction and you don’t need to be worry about “Password Syncing” just replicate the employee’s UPN + AD Security Privileges + CVAD Access & Policies where its required. It has the added benefit if you want do mix and match public cloud workloads to avoid lock-in amongst other topics, you’ll be providing a common and consistent login interface + experience irrespective of where the workload is sat.

It another brilliant benefit is the on-boarding of 3rd Parties (3P’s) using ByoI concept with a business check at the edge, the 3P brings there owned Identity and in the current world we live in I don’t think that is bad thing it could even strength that employees individual security as there identity will be bound to a smartphone which knows more about your individuals habits and you that you know yourself. If we can unlock a co-shared responsibility identity model between the individual + organisation we can truly aim for a passwordless workspace that only uses virtual smartcards or tokens.

Finally the on-boarding of M&A employees can be faster as you can generate them a few days after commercial signing with a new brand identity that resides in Azure AD (or Google, OKTA e.t.c) whilst they continue accessing existing workplace apps + data with current AD credentials, IT + HR + Business can choose when to layer in the “NEW” Workspace Platform for Work from group perspective into the existing Workspace with less friction and complexity. Yes this final topic is complex when we think about merging different Business IT and IT Systems together, a CVAD strategy with FAS bridges the GAP reducing friction and complexity for IT to sun rise a new Workspace stack for that newly acquired organisation while sunsetting the exciting Workspace stack and those new M&A employees get to on-board beyond the Workspace into there new organisations people, its culture, vision and values and avoids the IP drain that often can easily happen.

The Employee Experience

High Level Architecture
The scenario below depicts accessing a StoreFront server on any device type from within the Workplace fabric in any office locally or world wide or from a IT managed device that makes use of a Full VPN, Forward Proxy technology; WFH Citrix SD-WAN appliance where traffic passes over an SD-WAN overlay network; Citrix Endpoint Management enrolled smart device with per-app mVPN configured and finally irrespective of the devices management status you can use ICA Proxy* to access CVAD resources anywhere over the internet inclusive of any home via a Citrix ADC (formerly NetScaler) using the Gateway functionality which is “VPN-Less*”.

Systems Requirements & Pre-requisites
1. A UAT or Test CVAD 1912 LTSR Site that already setup. My personal one runs in AWS EC2 as it retains hosting connections or public clouds to preform MCS provisioning of machines from customer own and managed control plane. You can also use the Citrix Virtual Apps & Desktops (CVAD) Service or sign-up at https://citrix.cloud.com/ and engage your local Citrix representatives to get a trial setup for the CVAD Service.
2. Deploy a new VM which will run the following Citrix 1912 LTRS StoreFront and Federated Authentication Service (FAS) roles to create a new “Store” on StoreFront called “AAD” which will be configured to accept the Azure AD SAML token which will then convert the AAD SAML tokens into a Citrix virtual smartcard to SSO the employee onto CVAD resources.
3. Install StoreFront – https://docs.citrix.com/en-us/storefront/1912-ltsr/install-standard.html after reading the system requirements – https://docs.citrix.com/en-us/storefront/1912-ltsr/system-requirements.html.
4. Setup and Configure FAS Role on your StoreFront Server – https://docs.citrix.com/en-us/federated-authentication-service/1912/install-configure.html after reading the system requirements carefully – https://docs.citrix.com/en-us/federated-authentication-service/1912/system-requirements.html, this part shouldn’t be a problem e.g leaning on on Security teams whom control the Enterprise CA Admins as you’ll hopefully be using a proper UAT or Test CVAD environment with all the Microsoft management servers and roles including an Enterprise CA which FAS requires and access to AD introduce new GPO’s.
5. An Azure AD “personal or business test” tenant.

Deployment Guide

Azure AD Setup & Configuration – Personal Home Lab Edition
If you have a separate Azure AD tenant in Azure you can proceed to the next section, however if you are an IT Pro that wants to test out how to convert Azure AD SAML logins to Citrix virtual smartcards for CVAD the following the below guidance below for setting up a personal ADD tenant with a personal Azure account for your home lab. WARNING I am not an Azure AD nor on-premises AD expert, therefor follow the leading practises found in Microsofts documentation for Azure AD.

1. Navigate to https://portal.azure.com and sign-in with your live vs. personal Microsoft account. Select “Create a resource”.
2. Select “Identity” then select “Azure Active Directory”.
3. Enter in an “Organisation Name, Initial domain name and select your Country or region”.
4. The wizard will begin creating your AAD tenant .
5. Once it completes click the hyperlink within “Click here to manage your new directory”.
6. At the Overview page of your new AAD tenant select “Users” under “Manage” section.
7. Select “+ New user” under the “All Users (Preview)” Overview you’ll notice your personal email addr.
8. You’ll notice when creating a new employee account for your AAD tenant that you can only append domain.onmicrosoft.com to the username, I’ll explain how-to convert that to user@domain and remove the UPN requirement of user@doamin.onmicrosoft.com in the next few steps. For now fill the following fields “User name”; “Name”; “First name”; “Last name”; “Password” (choose or auto-generate) and the select “Create” keeping the defaults as they are.
9. Your new AAD employee is successful created, you can assign roles. NOTE for my personal testing purposes I didn’t configure anything as I’ll delete that test employee AAD account after my testing.
10. At this point I’m not going to deploy nor setup the “Azure AD Connect” in my Citrix Cloud Resource Location as I want the employees primary identity to always reside in Azure AD as the single source of truth, and then bring that identity to my Citrix Cloud Resource Location e.g Bring your own Identity (ByoI) and after a successful AAD SAML login map that to a hardened AD Shadow account with long complex password that the employee will never know and all I need to do it assign the AD security privilege and access for CVAD resources. This approach means that employee will NEVER enter in a AD password within a Citrix Cloud Resource Location that is configured for AAD (or Google, OKTA e.t.c) when using CVAD 1912 LTSR StoreFront and the Federated Authentication Service (FAS) in a Resource Location(s). For complex environments yes you’ll likely deploy the “Azure AD Connect” software as a role somewhere to replicate the employees but you don’t need to replicate there passwd or you can provision the employee twice once in AAD as in the example above and then again manually in AD in the Resource Location as there corresponding AD shadow account which matches the UPN from AAD when authenticating using SAML to StoreFront, the choice is yours but I found for testing purposes a manual in each is far less frictionless.

On-Premises Active Directory (AD) within your Resource Location
1.Create a new AD “Shadow” account that matches the “User Principal Name (UPN)” in AAD e.g user@domain, generate a random long complex password which they don’t need know and then assign or inherit the right vs. relevant AD security groups, GPOs that you would usually assign to a CVAD consumer.
2. On-board your domain into Azure AD which required verifying it with a MX record to avoid using user@domain.onmicrosoft.com so that you can use user@domain keeping it simple and less complex.

Installation and Configuring the Federated Authentication Service (FAS)
1. On the new VM that you just installed 1912 LTSR StoreFront role onto from the existing mounted ISO run the autorun splash screen and select “Federated Authentication Service”.
2.Read the EULA which you’ll need to “Accept the Licenses Agreement” to continue.
3. Accept the defaults and select “Next” on the “Core Components” page.
4. Accept the defaults and select “Next” on the “Firewall” page.
5. Once the installer is finished select “Finish” to close.
6. Open a PowerShell window in Admin mode then copy & paste the following code below, which will enable a trust between the CVAD Controller and the StoreFront server, minimise this window you’ll require it later.

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

7. Navigate to the following path “C:\Program Files\Citrix\Federated Authentication Service\PolicyDefinitions\” on the current StoreFront server that you installed FAS role onto, copy the following two files “CitrixFederatedAuthenticationService.admx” and “CitrixBase.admx” the entire folder “en-US” to a network share which will need to be accessible from your Windows Domain Controller or WDC.
8. Connect to your Windows Domain Controller (WDC) via RDS from the current StoreFront + FAS server and copy the two *.admx FAS files including folder “en-US” from your network share to the following path on the “C:\Windows\PolicyDefinitions” on your WDC.
9. Open an “MMC” console and load the “Group Policy Management Editor” snap-in, at the prompt for a Group Policy Object, select “Browse and then select ”Default Domain Policy”.
10. In the MMC console navigate to “Default Domain Policy [server name] > Computer Configuration > Policies > Administrative Templates > Citrix Components > Authentication” and you should see the following three policies available “Federated Authentication Service”, “StoreFront FAS Rule” and “In-session Certificates”.
11. Select and open the “Federated Authentication Service” policy, next select to “Enable” it followed by selecting the “Show” button parallel to “DNS Addresses” label and enter in the FQDN e.g. “server.domain” of your StoreFront + FAS server and then select “OK” and then select “OK” to save the policy configuration and enabling FAS.
12. Next select and open “In-session Certificates” and select “Enabled” and in the “Consent timeout (seconds):” field type in a value of “30” which is the default.
13. Next close the MMC console and open up the existing PowerShell (Admin mode) and copy and paste the following code to force a Group Policy Update. 

gpupdate /force

14. Minimise the RDS connection from your WDC so that you are back on your StoreFront + FAS server. Search and open up Citrix FAS in Admin mode, if you don’t you will be notified in the UI and then select “run this program as administrator” which will reload the FAS UI in Admin mode.
15. Select to “Deploy” for “Deploy certificate templates”.
16. Select “Ok” on the pop-up window that appears.
17. You’ve now successfully deployed the certificate templates, now select “Publish” for “Set up a certificate authority”.
18. Select the right Enterprise Certificate Authority (CA) from the available list and select “Ok”.
19. You’ve now deployed the certificate templates successfully to your Enterprise CA, now select “Authorize” for “Authorize this service”.
20. Select the right Enterprise Certificate Authority (CA) from the available list (same as above) and select “Ok”.
21. The FAS UI will display a spinning icon as the authorisation request is pending on the Enterprise CA server. 
22. Connect to your Enterprise CA via RDS and the “Microsoft Certification Authority” MMC Console and navigate to “CA > CA Server > Pending Requests” you’ll see pending certificate right click it select “All Tasks > Issue” and the certificate will be issued. 
23. Verify the issues certificates are issued by selecting “Issued Certificates” and verify you can see two issues certificated that begin with “Citrix_RegistrationAu…”.
24. Minimise your RDS session to your Enterprise CA and return to the StoreFront + FAS server, you now notice the “Authorize this service” says “Reauthorize” which is correct as the FAS service is now authorised with the Enterprise CA. Next select “Create” for “Create a rule”, which launch a new window.
25. Accept the default “Create the default rule (recommended)” and select “Next”.
26. Accept the default “Citrix_SmartcardLogon (recommended)” and select “Next”.
27. Select the previously selected and configured Enterprise CA you Authorised and select “Next”.
28. Select “Allow in-session use” and select “Next” if you enabled the following policy “In-session Certificates” earlier.
29. Select “Manage StoreFront access permissions (access is currently denied)” in red text which will open a new window.
30. Remove “Domain Computers” and add the “Server” running the StoreFront + FAS roles and under “Permissions” to “Allow” then select “Apply” and “Ok”.
31. The screen will update with “Manage StoreFront access permissions” to now be in blue text, now select “Next”.
32. Select “Manage user access permissions (all users are currently allowed)” in red text which will open a new window.
33. You can change to default “Domain Users” to your own test AD security group, then under “Permissions” to “Allow” then select “Apply” and “Ok”.
34. The screen will update with “Manage user permissions (all users are currently allowed)” to now be blue text, now select “Manage VDA permissions (all VDAs are currently allowed)” which is in red text.
35. You can change to default “Domain Computers” to your own test AD security group that your Citrix Virtual Delivery Agents (VDA) are found within, then under “Permissions” to “Allow” then select “Apply” and “Ok”.
36. The screen will update with “Manage VDA permissions (all VDAs are currently allowed)” to now in blue text, now select “Next”.
37. Now select “Create” and a “Default” FAS rule.
38. You have now successfully setup and configured Citrix FAS, you still need to enable FAS Claims for your “AAD” store on StoreFront which is covered later in this blog post.

Creating a new Store call “AAD” for Azure AD SAML Authentication in StoreFront
1. Open Studio and select “StoreFront” then select “Stores” and the on the “Actions tab” select “Create Store”.
2. On the splash screen select “Next“.
3. Type in “AAD” for the “Store Name” field and click “Next”.
4. Select “Add” list a CVAD controller, a new window will appear where you need provide the following information a “Display Name” e.g Citrix Cloud Connectors vs. CVAD 1912 LTSR, for the “Type” select “Citrix Virtual Apps and Desktops” and under “Servers” list select “Add” and type in the Citrix Cloud Connector or CVAD 1912 LTSR addresses and choose “Transport type” either HTTP 80 or HTTPS 443 (Preferred) and click “OK”.
5. You are now returned to the “Delivery Controller” page with a list of either Citrix Cloud Connectors or CVAD Controllers 1912 LTSR, click “Next“.
6. Now on the “Configure Authentication Methods” page select “SAML Authentication” and leave “User name and password” checked as YES, then click “Next”.
7. Ignore “Remote Access” configuration and click “Next“. NOTE: I will update this blog post at a later date with the Remote Access via Citrix Gateway formerly NetScaler Gateway.
8. Accept the default’s on the “Configure XenApp Services URL” and click “Create”.
9. StoreFront will begin creating your new “AAD” Store on your StoreFront server, once the wizard completes select “Test Site” to verify you can see a webpage that displays Citrix Receiver or you can navigate to “https://FQDN/Citrix/AADWeb/” replacing the FQDN with your own to verify the webpage is available.

Generating AAD SAML Configuration for StoreFront
1. In the Azure AD UI in the Azure Portal select “Enterprise applications” node.
2. When the UI updates in the centre select “Select “New application”.
3. You are taken to the “Add an Application” wizard and presented with three options select “Non-gallery application“.
4. Next provide a name for your own application e.g AAD-SAML-CVAD1912LTSR and then click “Add” at the bottom.
5. The AAD wizard completes and you are taken to the “Overview” page for “AAD-SAML-CVAD1912LTSR“, now select “Users and groups” from within this view.
6. Add an native AAD user(s). Note do not add any employee that does not have a AD shadow account setup and configured in the Citrix Cloud Resource Location (RL).
7. Now from the same “Overview” page for “AAD-SAML-CVAD1912LTSR” select “Single Sign-on” and on the “Select a single sign-on method” wizard select “SAML” and will start the AAS SAML wizard.
8. Select the pencil icon for “Basic SAML Configuration” to configure the following fields as follows below and select “Add“.

Identifier (Entity ID): https://FQDN/Citrix/AADAuth
Reply URL (Assertion Consumer Service URL):https://FQDN/Citrix/AADAuth/SamlForms/AssertionConsumerService
Sign on URL: https://FQDN/Citrix/AADWeb

9. Check under “User Attributes & Claims” portion that the “Name” field is configured to “user.userprincipalname”.
10. Scroll to “SAML Signing Certificate” and click to download the “Federation Metadata XML” e.g. AAD-SAML-CVAD1912LTSR.xml, now save or transfer it to your StoreFront server at C:\Temp.

Create and Configure a Azure AD SAML Trust in StoreFront
1. If you have transferred the *.xml file e.g “AAD-SAML-CVAD1912LTSR.xml“, then on your StoreFront server create a folder called “Temp” on “C:\” and transfer the downloaded *.xml file.
2.Open PowerShell in admin mode or launch it from Studio 1912 LTSR. Copy & paste the following code below, however if opening the PowerShell with Admin privileges without Studio 1912 LTSR then copy & paste this cmdlet first before proceeding with the configuration & “$Env:PROGRAMFILES\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1“. You will notice the virtual path for the Store is already set here to AAD so you can copy and paste it as is. This code sets up and configures SAML for the ADD Store.

$storeVirtualPath = “/Citrix/AAD” 
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath) 
$spId = $auth.AuthenticationSettings[“samlForms”].SamlSettings.ServiceProvider.Uri.AbsoluteUri 
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/AssertionConsumerService”) 
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlForms/ServiceProvider/Metadata”) 
$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + “/SamlTest”) 
Write-Host “SAML Service Provider information: 
Service Provider ID: $spId 
Assertion Consumer Service: $acs 
Metadata: $md 
Test Page: $samlTest “
 

3. Next copy and paste the following code which will ingest SAML configuration from the Azure AD *.xml that you downloaded earlier and copied to C:\Temp on the StoreFront server.

Get-Module “Citrix.StoreFront*” -ListAvailable | Import-Module
# Remember to change this with the virtual path of your Store.
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath “C:\Temp\AAD-SAML-CVAD1912LTSR.xml”


4. Validate there are not error(s) on screen that need resolving.
5. Minimise your PowerShell window you’ll need it again shortly, now open up Studio or StoreFront MMC console and navigate to the “Stores” and select “AAD” and select “Manage Authentication Methods“.
6. Select the cog icon parallel to “SAML Authentication” and then select “Identity Provider” you should see that your AAD SAML configuration is setup and configured, leave it as is DO NOT TOUCH it!
7. Close all windows including Studio or StoreFront.

Enabling FAS for Converting Azure AD SAML Tokens to Virtual Smartcards
1.Open up your existing PowerShell window and copy and paste the following code below, which will ENABLE FAS for your ADD Store to convert AAD SAML tokens received into virtual smartcard that will be used to SSO the employee onto his/her Citrix virtual app and or desktop. You’ll notice the code is configured for the “AAD” Store so you can copy and paste as is.

Get-Module “Citrix.StoreFront.*” -ListAvailable | Import-Module
$StoreVirtualPath = “/Citrix/AAD”
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName “FASClaimsFactory”
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider “FASLogonDataProvider”


2. Validate there are not error(s) on screen that need resolving, if there are none you can nose close the PowerShell window.

Testing your Azure AD SAML to Virtual Smartcard Login
1. Navigate to https://FQDN/Citrix/AADWeb which will redirect you to a AAD login.
2. Enter in your UPN e.g user@domain and then complete the required 2FA vs. MFA requirements setup by your organisation as requirement onscreen.
3. You will be returned to https://FQDN/Citrix/AADWeb and SSOed onto UI, depending on your setting your desktop will either auto launch of you’ll have to manually launch it yourself. The initial login will take slightly longer than usual as its generating you that initial virtual smartcard between StoreFront, FAS, AD and your Enterprise CA.
4. Your Citrix vDesktop or vApp should launch successfully and SSO the on without prompting for any credentials.

Troubleshooting
1.If you receive ANY error once returned to https://FQDN/Citrix/AADWeb post the AAD SAML login open a new browser tab in the same session and copy and paste the following URL https://FQDN/Citrix/StoreAuth/SamlTest to see if you have any oblivious errors e.g user@domain.onmicrosoft.com from Azure AD which doesn’t map to the AD Shadow account that is user@domain so its a UPN mismatch and the sign-on will continue to fail.
2. If the employee can sign on to https://FQDN/Citrix/AADWeb and the Citrix vApp or vDesktop launches but they see a credential prompt with “Other User” check and see that you configured FAS for the correct Store with SAML Authentication setup and configured if not using my example of “AAD” as the Store setup and configured on StoreFront.

ICA Proxy Remote Access with Azure AD SAML
Coming…

Concept on Bring your own Identity (ByoI) Strengthening Security through Co-Shared Responsibility owned by IT with different operating models
Its a simple concept which I like and yes it adds in complexity but it times today its far better to harden against unwanted 3rd party access whilst making it harder to achieve lateral movements. If the employee’s account is compromised by a 3rd party, they would need to compromise the employees identity in the cloud directory e.g AAD and in Active Directory (AD) on-premises as both passwords are completely different with different types of multi-factor authentication methods bound including access privileges.

The views expressed here are my own and do not necessarily reflect the views of Citrix.


Journey to The Nirvana Phone within the Workplace Part 1

Does it even actually exist? Truthfully it depends on how we as humans (employees) choose to consume the apps, data and network services on them for the purposes of personal and workplace usage.

In preparing to write this article I googled “The Nirvana Phone” the top search result is a Wikipedia entry – https://en.wikipedia.org/wiki/Nirvana_Phone (huge smile) along with 3 YouTube videos and very very very familiar face followed by yet another huge smile + found memory flashback because its Citrix CTO of Emerging Technologies Chris Fleck demonstrating using an iPhone 4 running a Windows 7 VDI (DaaS) delivered by Citrix Receiver on iOS connected to a monitor with a Apple VGA adaptor and portable paired Bluetooth keyboard. This is actually a key subconscious moment for me that has had a profound affect on me, and how I approach and look at the world around me today. So when I first saw that video I immediately hunted among work colleagues and friends for that Apple VGA cable adaptor to test it out for myself with my iPhone 4 and oh boy I was NOT disappointed yes it still had a way to go but as a real world working prototype concept enabling anyone in the world who uses Citrix and is the owner of an Apple iPhone 4 to use it in such a way is mind blowing even now while also demonstrating the WOW effect that this gaming changing technology will have on the workplace, even today nearly a decade on I am using one of many Nirvana Phones out there in the market running Citrix Workspace app available from all major app stores to actively take full advantage of my iPhone XR “Nirvana Phone” as it was intended in Chris Flecks original video below to be flexible and adaptable between sandbox vs. native mobile apps, browser based SaaS web apps and of course Citrix virtual apps* & desktops** formerly known as XenApp* and XenDesktop**.

I mentioned earlier it was a “key subconscious moment” for me personally as it validated and meant to me that I can use a devices as such as the Apple iPad or iPhone as a work device this is super cool and practically appealing to me, even today at Citrix they are evolving this a reality of the “Nirvana Phone” with the Intelligent Experience – https://www.citrix.com/lp/intelligent-workspace.html by distilling the friction + complexity of apps into simple to consume actions and insights from Citrix Workspace app vs. web portal.

Lets go back in time to late 2012, I’ve joined Citrix and at Christmas I’m gifted with an Apple iPad Mini which I used a lot running and working from @WorkMail, @WorkWeb (inclusive of my iPhone) and occasionally I consume my Windows 7 VDI on my iPad Mini because I can’t find a Bluetooth enabled mouse that works with it but it does work great for tasks such as lengthily emails using the soft/digital keyboard while travelling to and from events around the world like Citrix Summit and ServTech likewise locally on trains tethered to my iPhone as train Wi-Fi does not really exist in the 2012.

Fast world to 2015 and Citrix releases a prototype Bluetooth enabled mouse called the “Citrix X1 Mouse” and who is back demoing this capability? Yes Chris Fleck is back again continuing to edge closer to the “The Nirvana Phone” workplace operating model. What most folks are not aware of I could not make Citrix Summit that year due to a family member whom was medical very unwell, yet one of the best humans I have ever had the privilege of working with in my professional working career is Caz and she brought me back an original X1 Mouse prototype because she knew its importance and value to me with my digital first nature with modern touch enabled devices like iPhone’s and iPad’s beyond today’s modern day typewriters which to be honest looking back I was held back by the technology interfaces of my time VGA to HDMI and finally entering into the main stream market late 2018 and into 2019 casting capabilities matching what we use at home Google Casting for example now coming into the Workplace like Click Share but for me they are still both a v1 they need to mature over time.

Fast forward later in May of 2015 and the final piece for me falls into place with the Citrix Workspace Hub prototype demonstrated again by Chris Fleck with the at current CEO Mark B Templeton.

Fast forward again now its 2018 and the Citrix Workspace Hub officially launches and is available through select thin client vendors that choose to be in the program. I get a Citrix WorkspaceHub device for my own personal usage from Citrix ServTech and the first thing I do when I get home is plug it in and start using it, you can see me demoing it the first time I used it at home in 2018 from my annual series of “How I worked in 20XN” obviously 2018 edition which is embedded below, fast forward to 2 minutes, 30 seconds to watch it.

Today its 2019 the current year of this post and well lets say I have totally shifted to using “The Nirvana Phone within the Workplace” because I choose to but more important the technology of my current time allows me to, and I’ve ditched the modern day typewriters up to 12-17% of my total workplace through-out 2019. You still need a larger screen and laptop for creator personna’s but for the consumer personna’s personally I don’t believe you do at a high level. You can read my journey over 2019 transferring to the “The Nirvana Phone” operating model in the workplace, starting with the original post in the series of “The Future of Work is Today NOT Tomorrow” – https://www.mycugc.org/blogs/lyndon-jon-martin/2019/03/17/the-future-of-work-is-today-not-tomorrow-part-1, followed by part 2 –https://www.mycugc.org/blogs/lyndon-jon-martin/2019/03/28/future-of-work-is-today-not-tomorrow-part-2 and part 3 – <coming>.

In closing part 2 series will focus on how to get started and work they way I do every working day at Citrix where ever I am.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

HDX Offloading for Microsoft Teams within a Citrix Virtual Desktop

Consider this an evergreen article with *pro-active adds/moves/changes inclusive of errors/mistakes until I remove this statement.

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering Microsoft teams within a Citrix virtual desktop powered by Citrix Virtual Apps & Desktops (CVAD) Service – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops-service.html in Citrix Cloud prior to deploying in a PoC, Pilot or Production environment. The views, opinions and concepts expressed here are those by the author only and do not necessarily conform to industry descriptions nor leading practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SKYPE FOR BUSINESS – skype4b
CITRIX VIRTUAL DESKTOP – cvd
CITRIX VIRTUAL APP & DESKTOP – cvad
VIRTUAL DELIVERY AGENT – vda
HIGH DEFINITION EXPERIENCE – hdx
VIRTUAL DESKTOP – vd
VIRTUAL APPS – va
REALTIME MEDIA ENGINE – rtme
CITRIX WORKSPACE APP – cwa
MICROSOFT TEAMS – teams
CURRENT RELEASE – cr
LONG TERM SERVICE RELEASE – ltsr

Very Importantly Notice*
This feature depends on a future Microsoft Teams release. We will update this description as information about the version and release date become available.” referenced directly from – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#system-requirements.

Introduction
In May 2016 I published the following blog post entitled “Deploying Skype for Business 2015-16 (Offloaded) from a Citrix HDX Optimised Virtual App or Desktop” available at – https://axendatacentre.com/blog/2016/04/25/deploying-skype4b-2015-offloaded-from-a-citrix-hdx-virtual-app-or-desktop/. Suggested before you continue reading this post please read the “Optimization for Microsoft Teams” documentation on Citrix eDoc’s at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html or study if you are pressed for time the below architecture diagram for ease of use, of the joint Citrix + Microsoft solution to offload the audio/video processing of Teams from a Citrix Virtual Desktop to the employees local endpoint that is required to run a supported OS + Citrix Workspace app + Real-Time Media Engine (RTME). I still encourage you to please read the documentation in full prior to continuing reading.

It is also worth understanding Microsofts basic architecture overview of the solution which is available at – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#teams-on-vdi-with-calling-and-meetings.

The Employee Experiences with Teams HDX Offloaded

Windows

Linux (x64 Linux distributions only)

Understanding a HDX Optimised vs. Non-Optimised CVAD Deployment
The following HTML diagram depicts the differences between (un)optimised, I’ve also included a few suggested considerations as well.

Non-Optimised  Optimised for HDX Teams Offloading

Windows OS
VDA YYMM
Teams app 1.2.00.31357
Internet
End-point + Citrix Workspace app (CWa)

Windows OS
VDA YYMM

ICA/HDX Virtual Channel* 

 ↓
Teams app 1.2.00.31357
HDX Teams Services
Internet  ↑
 ↓

End-point + Citrix Workspace app (CWa) – Windows 1911*
A/V Traffic to other End-Point ←
HDX Embedded Media Engine

1. It’s very important to recognise that employees will find themselves in a situation where the connected end-point is unoptimised during work from home scenario e.g COVID-19 and therefore you should plan for these scenarios by implementing the right vs. relevant HDX policy strategy “Balanced” vs. “Preferred” see below guidance.
2. Educate employees when using a non corporate device e.g personal device at home during to COVID-19 they will likely be consuming an un-optimised version of Teams in CVAD, its important to set a exception to avoid unnecessary help desk tickets/calls.
3. Any and all exchanged IM’s and documents live within the CVAD lens meaning that your IP + Pii in any documents lives within the employees CVAD resource e.g Virtual Desktops when they exported it from a IM’s vs. channel(s) in Teams. It is also important to recognise that those same IMs’ vs. channel(s) originate and are available in Microsoft Teams on any device as the source, so if employees re-frame teams outside of your Citrix virtual desktop your IP + Pii in documents could be exfiltrated if the employee device(s) are not properly managed by IT e.g MEM, UEM, MAM, Secure SaaS check out – https://www.mycugc.org/blogs/lyndon-jon-martin/2020/03/27/secure-saas-on-zero-trusted-vs-earned-trusted-devi for more information.

LTSR vs. CR Strategy for HDX Offloading of Microsoft Teams?
It’s worth understanding that if your CVAD deployment strategy is to use the Long Term Service Release (LTSR) then you will not receive any new features only bug fixes this thinking keeps inline with the current CVAD strategy between CR vs. LTSR (stability and long-term – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr.html) release cycles. Consuming a CR branch means that you can unlock new features as they become available by upgrading your CVAD on-premises of upgrade the CVAD Service components within your Resource Locations (RL).

Release Strategy New Features Bug Fixes Documentation
CVAD Service
On-premises Current Release (CR)
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html
Long Term Service Release (LTSR)
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/1912-ltsr/multimedia/opt-ms-teams.html

Pre-requisites & System Requirements Key Highlights Only
The full and complete list is available at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html*, there is also a Citrix TechZone article published at – https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/optimizing-unified-communications-solutions.html. The below are the key highlights that should be focused on to be successful.

1. You will require the following MSFT teams version “1.2.00.31357” in order to be able to take advantage off the HDX Offloading capabilities within a supported CVAD environment. The following Citrix Workspace app (CWa) versions are the suggested vs. minimal versions that will be required to HDX offload Teams A/V traffic onto the employees endpoint:

Windows
Minimum Version: Citrix Workspace app 1911 for Windows
Download (1911): https://www.citrix.com/en-gb/downloads/workspace-app/legacy-workspace-app-for-windows/workspace-app-for-windows-1911.html
PDF Documentation (1911): https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/1911/citrix-workspace-app-for-windows-1911.pdf

Linux
Minimum Version: Citrix Workspace app 2006 for Linux running on x64 Linux distributions.
Download (2006): https://www.citrix.com/en-gb/downloads/workspace-app/linux/workspace-app-for-linux-latest.html
PDF Documentation (CR): https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/citrix-workspace-app-for-linux.pdf

Mac – Technology Preview
Technology Preview Version: Citrix Workspace app 2009 for Mac OSX running on 10.15.
Download (2009): https://www.citrix.com/en-in/downloads/workspace-app/betas-and-tech-previews/workspace-app-tp-for-mac.html
Provide Feedback https://podio.com/webforms/22969502/1632225


2. Avoid using the .exe installer for Teams – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#microsoft-teams-installation.
3.The Citrix HDX Teams policy “Microsoft Teams redirection” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/policies/reference/ica-policy-settings/multimedia-policy-settings.html#microsoft-teams-redirection, is ON by default as per https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#microsoft-teams-installation.
4.CTXMTOP is a Citrix HDX virtual channel used for command and control purposes and no media is therefore exchanged between the CWa running on the end-point and the VDA running in the resource location (data centre).
5. In terms of network connectivity requirements PLEASE NOTE that MSFT Teams utilises Media Processor servers in Office 365 for meetings which affects the behaviour of two peers in point-to-point call scenarios, you can learn more at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#network-requirements, you should be thinking about near to local breakout from end-points to ensure IP transmits to Office365 over the most efficient and faster available route to avoid any/all employee experience degradation this will also directly apply to any MSFT teams clients on native devices that aren’t HDX Offloaded so take note! If you are a Citrix SD-WAN customer take a look at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#citrix-sd-wan-optimized-network-connectivity-for-microsoft-teams likewise if you are not a Citrix SD-WAN customer please take the opportunity to understand why you need to be thinking about an SD-WAN solution for your modern workplace.
6. You will need to update your Windows Firewall ACL on Windows endpoints to avoid the offloading failing by allowing “HdxTeams.exe (HDX Overlay Teams)“, you learn more at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#firewall-considerations.
7. Understanding Screen sharing – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#screen-sharing-in-microsoft-teams.

Deploying HDX Offloading (HDX Optimisation Pack ) for Microsoft Teams in a Citrix Virtual App vs. Virtual Desktop
1.The minimum on-premises control plane required is 1906 running the 1906.2 VDA reference – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#system-requirements and
2.You need to enable the following policy in Studio for 1906 see page at 668 – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/downloads/citrix-virtual-apps-and-desktops-1906.pdf to enable “Microsoft Teams redirection” which is also documented at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#system-requirements.
3.Endpoints should be running Citrix Workspace app for Windows 1907 but the recommended version is 1909 and be sure to configure the Windows ACL for Windows Defender Firewall to allow the “HDX Overlay Teams” app to traverse the right vs. relevant networks for more information please check out – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#firewall-considerations.
4. The Citrix TechZone micro-site includes few detailed Proof of Concept web document at – https://docs.citrix.com/en-us/tech-zone/learn/poc-guides/microsoft-teams-optimizations.html#policy-settings entitled “Proof of Concept guide for Microsoft Teams optimization in Citrix Virtual Apps and Desktops environments” to help you setup, configure and deploy Microsoft Teams through a CVAD session or lens. It is a must read and therefore I have chosen to not repeat of any of the authors great work expect what was in my original post 06/08/2019. A fellow Citrix colleague Wendy Gay, published a simple guided step by step overview at – https://citrixie.com/2020/04/14/installing-teams-optimization-pack/ which is worth reading.

Microsoft Teams Leading Deployment Practises for Teams in Citrix VDI
1. Migrate Teams on VDI with chat and collaboration to Citrix with calling and meetings – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#migrate-teams-on-vdi-with-chat-and-collaboration-to-citrix-with-calling-and-meetings.
2. Teams on VDI performance considerations – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#teams-on-vdi-performance-considerations.
3. Known issues and limitations – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#known-issues-and-limitations

CWa Endpoint Update Release Strategy
It is important to recognise that you will need to manage the versions of supported CWa out in the field to avoid the HDX Offloading of Teams breaking and causing a degraded employee experience reverting to fallback of A/V. Please note that each supported OS platform has a different management strategy. You should also please take into account Microsofts recommendations – https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi#install-or-update-the-teams-desktop-app-on-vdi.

Platform Manual Automatic IT Controlled Link
Windows
https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/update.html#advanced-configuration-for-automatic-updates-citrix-workspace-updates
Linux
https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/install.html#update

Tech Insight – Microsoft Teams Optimization with Citrix
This video provides a detailed guided overview of the joint architecture, employee experience, optimisations inclusive of using Citrix SD-WAN, teams call routing and more. Originally posted to the Citrix TechZone at – https://docs.citrix.com/en-us/tech-zone/learn/tech-insights/microsoft-teams-optimization.html.

Suggested HDX Broadcast (Remote Graphics Mode) Policy for 7.15 Long Term Service Release (LTSR)
*Please be aware that Citrix eDocs is very clear when it states that Citrix does NOT support Teams HDX Offloading Optimisation for 7.15 Long Term Service Release (LTSR) as it is NOT listed as a supported CVAD platform, you still may wish however to test Microsoft Teams operationally e.g test out its impact on compute, I/O, user profile e.t.c and then purely for fallback failures aka NO HDX Offloading Optimisation BUT you will not be able to test the employee experience of HDX Offloading the audio/video traffic as it is NOT supported remember*). You’ll make use of your UAT 7.15 LTSR environment to be ready for a 2020-21 deployment on a supported CVAD release that supports HDX Offloading for Microsoft Teams, therefore use the built-in default HDX policy “Use video codec for compression” selecting  “Use video codec when preferred” which means the following “This is the default setting. No additional configuration is required. Keeping this setting as the default ensures that Thinwire is selected for all Citrix connections, and is optimized for scalability, bandwidth, and superior image quality for typical desktop workloads.” reference the 7.15 LTSR documentation at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/graphics/thinwire.html which will probably be ok for testing under the current release that you are consuming. Final Remember: CVAD formerly XAD 7.15 LTSR platform is NOT supported for Teams Optimisation. TIP: Definitions can change between CR vs. LTSR within the HDX stack which is consistently improving and being updated to offer better employee experiences all the time e.g introduction of net new H.264 standards so always be sure to check the differences between CR vs. LTSR and CR vs. CR versions.

Transitioning from Skype for Business to Teams
A number of few folks have asked the question can I mix and match Skype for Business and the Teams Optimisation Packs together? Its actually a complex answer but the immediate answer as of 03/08/2019 is below, BUT always be sure to circle back and review Citrix’s documentation for the latest supporting statements and interoperability at – https://docs.citrix.com around Teams Optimisation and when searching use “Teams Optimization”. Tip use American spelling for better results.

The response is complex and is as follows, answers received vary dependant upon your role Citrix vs. Skpye4B/Teams SysAdmin or Consultant. As I work at Citrix today (Aug 2019) lets focus on a Citrix based role to Teams response:

1. Complete LOB app readiness of Teams including new HDX services/API’s to enable HDX Offloading within a the master image but hidden + unavailable using techniques like disabling the services for each (whatever you prefer), Citrix app layering, MSFT app masking e.t.c. TIP: Pay attention to understand the compute utilisation differences between Teams vs. Skype4B there is a difference.

2. I still need to push out the required RTME to all employee end-points so I don’t want to break the employee experience while we transition to Teams. It is expected to have backwards compatible within Citrix Workspace app for older Virtual Delivery Agent (VDA) versions check eDocs for the backwards compatibility.

3. I only want to transition employees by AD or Citrix Delivery group (department, trusted test groups e.t.c) to Teams based upon point 2 and perform a staggered canary rollout like Citrix Cloud does for each of its services.

4. The person(s) within the Skype for Business/Teams based role(s) need to setup/conf and then test the audio/video codecs prior to enabling Teams at a company wide scale, for me personally this point is actually the most critical because as you offloading the audio/video to the end-point when using HDX Offloading the back-end compute + network resources low aka aren’t taken any much of a real hit HOWEVER if the HDX Offloading fails then you really, really need to understand the impact of processing of the A/V within the Citrix session and what affect it will have on the employees experience so when he/she is completed there final tests, you should prior to a final rollout perform a test side by side two identical end-points one optimised and the other un-optimised and be sure to capture the compute + network requirements client and server side, including the network traffic and score the experience out of 10 for voice and video, the test should be done with wired (where possible today), wireless (Wi-Fi) and 4G internet connectivity in two separate locations an Office (think QoS) and at home (no QoS).

5. Once you have the results from point 4 you may want to re-evaluate your existing HDX Broadcast policies (remote graphics mode e.t.c) and take into account a fall-back scenario if HDX Offloading fails whatever the reason, you may also prefer to leave it as is, however I would strongly suggest creating an emergency fallback HDX Broadcast policy stack but it should be DISABLED and only manually pushed out only if required. The fallback HDX Broadcast policy stack is to preserve the employee experience as best you can if something goes wrong and when I mean something goes wrong I mean a non-Citrix update breaks the optimisation somehow as in reality the Citrix components e.g VDA, HDX Services/API, RTME and Citrix Workspace app are less likely to change within a 12 month period.

6. Citrix’s CR documentation for CVAD is updated to include a digram and overview of “Microsoft Teams and Skype for Business Coexistance” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#microsoft-teams-and-skype-for-business-coexistance.

Managing Employee Experience when Teams HDX Offloading is NOT available
Most folks are not aware that you can control what happens when Microsoft Teams is NOT been HDX offloaded also referred to as Optimised in a Citrix Virtual Apps & Desktops session. You can achieve or rather control the following when “Fallback Mode” occurs either when a the employees connects from an unsupported endpoint + CWa version e.g CWa for HTML5 or they switch from a IT managed endpoint to a BYO endpoint with the incorrect CWa installed (older and unsupported) or IT has not updated the VDA stack within the master image within the Citrix Cloud Resource Location or preferred cloud data centre type.

You can when the optimisation is unavailable enforce no fallback or audio only (suggested and preferred), if you don’t set either of these options the default is to fallback to allowing the Citrix ICA/HDX protocol to do what it does best optimises the remoted session, you can learn more at – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#peripherals-in-microsoft-teams.

Suggested “Balanced” HDX Broadcast (Remote Graphics Mode) Policy for Fallback
In 2016 I proposed the following HDX policy for remote graphics “Use video codec for compression” to be set to “For actively changing regions” to preserve the employee experience in a fallback scenario, its now 2019 and my Suggested HDX policy remains unchanged as long as the key goal is to preserve the employee experience to meet that HD experience and it will come at a back-end compute + network traffic spike, including increased network traffic between server and client to process the video H.264/H.265 streams.

Once upon a time I was a SysAdmin and still am at my core so I’ll have an emergency HDX policy in place BUT disabled I call it “HDX Adaptive Display v2 (Balanced)” you configure it as follows selecting the following HDX policies in Studio:

1.”Use video codec for compression” then select  “For actively changing regions
2. “Preferred color depth for simple graphics” then select “16 bits per pixel” and also try 24.
3. Select “Frames Per Second” and select the target FPS to circa 25 from the default which is 30.

NEW 11/10/2019 you could look to utilise “Progressive Mode” – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/graphics/thinwire.html#progressive-mode, I have not tested this myself yet however it may work for your organisation if you already have it in-place actively.

I wrote a myCUGC article entitled “HDX Leading Best Practices for your Modern Secure Workspace” at – https://www.mycugc.org/blogs/cugc-blogs/2017/09/15/hdx-leading-best-practices-for-your-modern-secure which has some interesting thoughts and insights from nearly 2 years ago which you may find useful and yes I will write an updated article this year time permitting to complete my testing which requires extensive field testing with different devices I don’t just use a lab + network at home, I base 95% of all my article suggestions of what/how to configure settings vs. practises from my personal lab hosted in AWS EC2 in N.Virginia to delivered to end-points in the City of and Greater London, England so its not definitely poppy cop its real world + life scenarios and use cases that I test.

Suggested “Preferred” HDX Broadcast/RealTime/MediaStream (Remote Graphics Mode, Audio and Video) Policy inclusive of Fallback
YES I am contradicting the above suggested HDX Broadcast fallback policy, which I have now renamed to “Balanced” from my initial post and why it still remains is that it will support organisations of any size vs. scale vs. deployment rollout vs. connected devices supporting a balance between video, audio and the remoted display so when an outage occurs and neither I nor will you know what its going to be impacted for example it could be 1x MPLS circuit failure (tip check out Citrix SD-WAN link bonding demo from Jan 2016 vs. case study vs. product page) vs. degradation of all internet circuits due to bad BGP route injections, you get the idea. I’m cautious being an ex-SysAdmin/Consultant and therefore I will summary the key differentiators from my own perspectives as follows in order:

1. How important is the employee experience? For me personally this is always #1 as today’s 2019 reality, employees want an HD 4K experience consistently therefore my personal advise is utilise the built-in default HDX policies within the Current Release (CR) typically minus 2/3 of current CVAD release with your desired HDX employee experience policy tweaks.
2. Once you understand how the humans (employees) within your organisation work using Skype for Business vs. Teams you will have better context as to the WHAT should be in your fallback policy for DR, business continuity or just individual employee devices going into fallback mode. For example understanding your employees is key lets take a look at a practical example by industry vertical, a call centre employee is more interested in better audio quality with customers vs. a clinician on a video call discussing a patients surgical/recovery plan looking at patient records.
3. Re-evaluate once every 3-4 months by asking, polling quick surveys and looking at the metrics made available in both Skype for Business vs. Teams as lets be honest its not a light switch its a journey from one to the other.

Now that you understand your humans (employees) keeping point 3 in mind and begin building out your HDX employee experience policy which most likely be the using the defaults in the 19XN releases as the HDX product management team have done an brilliant job working with engineering decreasing the amount of toggles and dials to tweak the HDX protocol and its now these days automatically adapting and adjusting to maintain the human (employee) experience.

1.”Use video codec for compression” then select  “Use video codec when preferred
2. Select “Frames Per Second” use the default which is 30 or increase up to a maximum of 60.
3. Select “Visual quality” set to “High” going beyond this will incur high network bandwidth utilisation, but going beyond this is ok but remember if you are having continual networking performance issues unrelated to Citrix or the HDX offloading capability and employee experience has decreased overall think about a micro change for the current window and then revert. An example of using “Always lossless” is the clinician use case described above.

Tech Insight – Microsoft Teams Optimisation with Citrix

What Supported Hardware Can I Use With Microsoft Teams?
Strongly suggested to only use Microsoft Teams certified headsets, speaker phones, conference phones, cameras e.t.c are listed and available at – https://products.office.com/en-us/microsoft-teams/across-devices/devices. Are my existing Citrix Ready thin clients, headsets, cameras e.t.c using with Skype for Business using Citrix’s HDX Offloading capability compatible? You will need to check with your vendor for there support status with the new optimisation pack for Teams and Microsoft Teams as there have been changes made from both Citrix + Microsoft.

Collection of Suggested Troubleshooting for Microsoft Teams HDX Offloading in CVAD
Understand what Audio & Video (A/V) can be re-direction e.g web camera from supported Operating System (OS) vs. Citrix Workspace app (CWa) – https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-workspace-app-feature-matrix.pdf – Citrix Workspace App (Earlier known as Citrix Receiver) Feature Matrix.

1. The Citrix Support site has a detailed article – https://support.citrix.com/article/CTX253754 which covers off multiple topics for troubleshooting failed HDX optimisations in a CVAD session.
2. How do I know if Teams is Optimised? https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#enable-optimization-of-microsoft-teams.
3. Troubleshoot MSFT Teams – https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams.html#troubleshoot.
4. Chromebook – Teams webcam audio problem – https://discussions.citrix.com/topic/408319-chromebook-teams-webcam-audio-problem/#comment-2063142.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Employee Personalisation Experience in Citrix Workspace

The Citrix Workspace experience always employees to personalise there workspace beyond the enterprise branding that IT may or may not enforce. So what can a use personalise?

The following options are currently available:

First Name
Last Name
Company Name (Optional)
Custom Avatar vs. Initials

The following shows the difference between with(out) an Avatar and does make a significant impact even as a Citrix employee that its my personalised workspace that I go to get work done.

How do you enable your own personal Avatar within your Citrix Workspace? I will be honest its not obvious and its driven by the Citrix Content Collaboration (ShareFile) platform.

1.Login into your Citrix Files (ShareFile) portal e.g https://axendatacentre.sharefile.eu or .com
2.Once you logged in you should be taken to “Dashboard” UI and in the middle of the web page at the top you’ll see your name e.g “Lyndon-Jon
3.Next to your name it will say “Add profile picture
4.It will then open up the “Edit Profile” web page and within the “Name and Company Details” area you’ll see parallel to your name “Profile picture” select “Upload” and browse to the picture that you will use and select it.?
5.Your picture will be upload and a green notification will appear above (right side) saying “Your profile picture has been updated.” which means your profile picture has been saved successfully.
6.Next login to your Citrix Workspace either the app or HTML5 portal and you’ll see your personalised Avatar appear instead of the standard initials Avatar. Note I did find that Citrix Workspace app across all my devices required either more than 1x refresh to propagate the new Avatar or sign-off/close Citrix Workspace app and re-login at the change propagated.

In closing you now have a personalised avatar within your Citrix Workspace available across all your devices as seen below, although I primarily use Apple devices you can see the experience persists from a HTML5 browser to the mobile and desktop apps for Citrix Workspace.

I have not checked what feature entitlement is required but considering that you personalise your Avatar in Content Collaboration its a little obvious at a glance, I will update this article in the future once I have fully investigate the entitlement required. This feature had positive impact on me that I believed a brief post about setting it up was a priority for me to share with the Citrix community.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Apple FaceID Authentication for Citrix Workspace app on iOS Devices

I recently moved from iPhone 5S (Ja Ja or Yes Yes) to iPhone XR and thought I’d enable Apple FaceID as my primary authentication method for my corporate owned device vs. PIN/Passcode and … to unlock my device + Citrix Workspace.

I have to say I’m impressed thus far it’s a really super authentication method and defiantly not a gimmick! Example I setup notifications for Citrix Secure Mail with the Show Previews set to “When Unlocked (Default)” this means that when an unknown vs. family individual picks up my iPhone they’ll see a Secure Mail badge with just “Notification” as the message see below.

However when I pick up the iPhone I see something quiet different, as you’ll notice below. I now very quickly get the right vs. relevant context surrounding the email(s) content sent, therefore I am better informed to decide when to respond e.g right now, in a few minutes or later dependant upon the activity/task that I am busy with, within my current Citrix Workplace setting e.g Citrix Paddington office, London tube vs. bus, Train up north to Manchester e.t.c as at Citrix it’s recognised that work is not a place anymore.

Workplace setting? What’s that? 

Think about yourself, you’re probably consuming  1-2 LOB apps at least 2-3 times before arriving in your first workplace setting for the day for a meeting or attending an event? Take note you’ve already signed into WORK at what 06:00-30 if you have children or perhaps later. Did this behaviour exist 5 years ago for you?

Ok back to Apples FaceID.

I wanted to truly test, push the limits and capabilities of Apple FaceID as a primary authentication method for my Citrix Workspace + Workplaces going beyond what we all test it seems e.g different coloured lighting, in the dark, twilight, dusk, low vs. bright light and the list goes on and it all worked perfectly so great job Apple so far!

I wanted more, I wanted a sudden change in my face to truly push FaceID to its limits so as many men do in November I to pulled a Movember – https://uk.movember.com (perfectly timed) so I had a thickish but full beard + moustache which was timely for me testing its limits so I registered my face with both (yes it was passing the scratchy stage) so I then decided to leave it post Movember for 3 days to see if it was learning more about my face to better recognise me and then implement the dramatic change by shaving it all off clean and what do you think happened? Did Apple FaceID recognise me? Yes it did first time, great job again Apple!

So can you be confident in consuming FaceID for Citrix Workspace app or even for unlocking your iOS devices? Yes, if it’s a supported feature on your iOS device and obviously if your corporate IT policy allows for it by not blocking it through policy controls.

How-to Enable FaceID for Citrix Workspace app on iOS
Authenticate yourself within Citrix Workspace app for iOS e.g – https://itunes.apple.com/gb/app/citrix-workspace/id363501921?mt=8 using your current method e.g TouchID and or user/passwd/token e.t.c and then to enable it Apple FaceID navigate to the settings “Menu” tap your desired configured account or the default which is “Store”, next tap “Edit Account” and finally toggle the “FaceID” option to the ON or ENABLED position/state and then you are ready to begin consuming Apple FaceID as your primary authentication method to Citrix Workspace app on iOS.

Final Thoughts
I was not a fan of Apple FaceID initially when it launched as I wanted to do some homework + research it a bit more and see and hear what other peoples experiences where, but most of all wait for the technology to mature a little.

One thing I do keeping thinking about is that Apple FaceID lets you add up to 2x faces only on the iPhone XR*. I wonder if it needs to support up to 4x for family vs. 1x for business scenarios controlled by MDM/UEM polices?

I will continue my testing over time and circle back in a few months with a new blog post of simply update this and do more background research on Apple FaceID* but until then enjoy it, its worth enabling!

The views expressed here are my own and do not necessarily reflect the views of Citrix or Apple.

Upgrading to Citrix Workspace app not App at a glance

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Why this blog post?
I am excited its finally available in the Apple app store, and I’m an advocate of Citrix + IaaS + SDWAN technologies.

Getting the Citrix Workspace app
If you are looking to update/upgrade to Citrix Workspace it’s now available on Citrix.com at – https://www.citrix.com/downloads/workspace-app/ which contains download installers for PC, Mac, Linux, HTML5 (clientless) and hyperlinks to the app for each major app store e.g Chrome, Microsoft, Apple and Android vs. search for it in your app store using the search term “Citrix Workspace” from your smart device e.g for iOS https://itunes.apple.com/us/app/citrix-receiver/id363501921?mt=8.

Upgrading clients to Citrix Workspace app
Smart devices (Mobile)
The Citrix Receiver to Workspace upgrade on smart device(s) is simple, the app store of your chosen smart device e.g iPhone will notify you of any/all pending mobile app updates and you can simply tap to begin the upgrade as seen in the below short video. I’d like to point out this is my personal bring-your-own (BYO) device so it’s not enrolled into the corporate UEM solution as I consume + access corporate LOB apps when right vs. relevant in emergency scenario’s via my corporate Windows 10 Citrix virtual desktop (XenDesktop), Slack is for the Citrix Technology Advocate (CTA) and iGel Community channels and ShareFile Workflows, Citrix SSO is for testing purposes.

PC, Mac, Linux (Machines/Laptops/Devices)
Now lets take a look at traditional/current workplace end-points that we consume as when/how within our workspace. The example below depicts me as a Citrix SysAdmin (lets test this prior to a PROD rollout organisation wide) so download the Citrix Workspace app installer from – https://www.citrix.com/downloads/workspace-app/ for your choosen end-point, and be sure to visit eDocs at – https://docs.citrix.com/en-us/citrix-workspace-app.html to check out the deployment configuration options for your organisations supported end-point(s) strategy e.g Thin Clients, CYO, BYO, Corporate issued.

What can I do with Citrix Workspace app?
Begin exploring the Citrix Workspace app web page at – https://www.citrix.com/products/workspace-app/ to learn about the business outcomes, transformation capabilities now enabled by IT (not just a cost centre anymore) and end-user value + benefits + experience. If you are short on time then watch the below embedded video which provides a brief overview in little over a minute, however if you do have time then please read this blog post entitled “Citrix Workspace App – Answers to Your Burning Questions” on Citrix.com – https://www.citrix.com/blogs/2018/06/01/citrix-workspace-app-answers-to-your-burning-questions/ and be sure to read the comments section at the bottom of the blog post.

For Citrix SysAdmins, Consultants
Download the “Citrix Workspace App 1808 Feature Matrix” today at – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-receiver-feature-matrix.pdf to learn what is vs. what isn’t available e.t.c.