Citrix Secure Access for macOS/iOS

The legacy VPN client was built using Apple’s private VPN APIs that are now deprecated. VPN support in Citrix Secure Access for macOS and iOS is rewritten from the ground up using Apple’s public Network Extension framework.

Note

  • Citrix SSO for iOS is now called Citrix Secure Access. We are updating our documentation and the UI screenshots to reflect this name change.

  • Citrix Secure Access for macOS is supported on 10.15 (Catalina), 11.x (Big Sur) and 12.x (Monterey). It supports devices with Intel chips and M1 chips.

  • Users with hardware which cannot be upgraded to one of the earlier mentioned versions (macOS 10.15 and macOS 11.0) have access to the last compatible version on the App Store, but there are no further updates to the older versions.
  • If a macOS user switches between App Store app and TestFlight preview build or conversely, then the users must recreate the connection profile by performing the following steps:
    1. Click the hamburger menu and then click Configuration.
    2. Delete the profile from the list and add the same profile again.

Major features of Citrix Secure Access client for macOS/iOS

  • Password tokens: A password token is a 6-digit code which is an alternative to Secondary Password Services such as VIP, OKTA. This code uses the Time-based One Time Password (T-OTP) protocol to generate the OTP code similar to services such as Google Authenticator and Microsoft Authenticator. Users are prompted for two passwords during authentication to NetScaler Gateway for a given Active Directory user. The second factor is a changing six-digit code that users copy from a registered third-party service such as Google or Microsoft Authenticator into the desktop browser. Users must first register for T-OTP on the NetScaler appliance. For registration steps, refer https://support.citrix.com/article/CTX228454. On the app, users can add the OTP feature by scanning the QR Code generated on NetScaler or manually entering the TOTP secret. OTP Tokens once added show up on the Password Tokens segment on the user interface.

To improve the experience, adding an OTP prompts the user to create a VPN profile automatically. Users can take advantage of this VPN profile to connect to the VPN directly from their iOS devices.

Citrix Secure Access client for macOS/iOS can be used to scan the QR code while registering for native OTP support. NetScaler Gateway Push notification functionality is available only to the Citrix Secure Access for macOS/iOS users.

  • Push notification: NetScaler Gateway sends push notification on your registered mobile device for a simplified two-factor authentication experience. Instead of launching Citrix Secure Access client for macOS/iOS to provide the second factor OTP on the NetScaler logon page, you can validate your identity by providing your Device PIN/Touch ID/ Face ID for the registered device.

Once you register your device for Push notification, you can also use the device for native OTP support using Citrix Secure Access for macOS/iOS. Registration for Push Notifications is transparent to the user. When users register TOTP, the device is also registered for Push Notifications if NetScaler supports it.

Citrix Secure Access for macOS/iOS