Release Notes

The release notes describe the new features, enhancements to existing features, fixed issues, and known issues available in a service release. The release notes include one or more of the following sections:

What’s new: The new features and enhancements available in the current release.

Fixed issues: The issues that are fixed in the current release.

Known issues: The issues that exist in the current release and their workarounds, wherever applicable.

Important information:

  • EPA clients are supported on macOS 10.13, 10.14, 10.15, 11.x, 12.x and 13.x versions.
  • EPA clients are supported on the NetScaler 12.1, 13.0, 13.1, and 14.1 versions.
  • Citrix Secure Access for macOS/iOS 24.06.1 and later releases address the TunnelVision vulnerabilities described in CVE-2024-3661.

V24.11.1 (25 Nov 2024)

What’s new

  • Monitor TCP application session activity in Citrix Director

    The Citrix Secure Access client for macOS now sends TCP application session activity to Citrix Director for both cloud and on-premises deployments of Citrix Secure Private Access.

    [CSACLIENTS-11081]

  • Monitor session activity events in Citrix Director

    The Citrix Secure Access client for macOS now sends summarized session activity events such as successful app launches, app launch failures, and DNS failures, to Citrix Director for both cloud and on-premises deployments of Citrix Secure Private Access.

    [CSACLIENTS-11959]

  • Support for contextual access feature in Secure Private Access

    The Citrix Secure Access client supports the contextual access feature that enables an admin to enforce ZTNA policies dynamically based on the user context like network location, geo location, and device posture. For more information, see Context-based app routing and resource locations selection.

    [CSACLIENTS-11580]

  • EPA libraries are updated to 24.11.1.0 (OPSWAT OESIS library V 4.3.3820.0).

    [CSACLIENTS-12523]

V24.10.1 (17 Oct 2024)

What’s new

  • Support to exclude DNS traffic by Citrix Secure Access client

    You can now configure the Citrix Secure Access client to exclude DNS traffic from being intercepted. For more information, see Exclude specific domain traffic from client interception.

    [CSACLIENTS-10237]

  • EPA libraries are updated to 24.09.1.0 (OPSWAT OESIS library V 4.3.3750.0).

    [CSACLIENTS-11371]

  • This release addresses some issues to improve the overall performance and stability.

V24.09.1 (16 Sep 2024)

Important:

If you are using the latest Apple OS versions such as macOS 15/iOS 18 and later, then we recommend that you upgrade to Citrix Secure Access client version 24.09.1 or later. For more information about the NetScaler Gateway client software requirements, see Citrix Secure Access client system requirements.

What’s new

  • System notifications support for Secure Private Access

    The Citrix Secure Access client now supports system notifications for on-premises deployment of Secure Private Access.

    [CSACLIENTS-10726]

  • EPA libraries are updated to 24.08.1.0 (OPSWAT OESIS library V 4.3.3709.0).

    [CSACLIENTS-11369]

  • This release addresses some issues to improve the overall performance and stability.

V24.08.1 (14 August 2024)

What’s new

  • This release addresses some issues to improve the overall performance and stability.

V24.07.1 (15 July 2024)

What’s new

  • EPA libraries are updated to 24.06.1.0 (OPSWAT OESIS library V 4.3.3612.0).

    [CSACLIENTS-10605]

  • This release addresses some issues to improve the overall performance and stability.

V24.06.2 (27 June 2024)

What’s new

This release addresses the IPv6 login issues.

V24.06.1 (24 June 2024)

What’s new

  • This release addresses the TunnelVision vulnerabilities described in CVE-2024-3661.

    [CSACLIENTS-10918 ]

  • This release addresses some issues to improve the overall performance and stability.

  • EPA libraries are updated to 24.05.2.0 (OPSWAT OESIS library V 4.3.3586.0).

    [CSACLIENTS-10601]

  • EPA scan to check Citrix Workspace app version

    Citrix Secure Access supports a new EPA scan CWA Version, that verifies the Citrix Workspace version on macOS machines. For details about the supported EPA scans, see Expression strings.

    [CGOP-6422]

  • Interoperability enhancements with third-party secure web gateway

    The User-Agent strings for Citrix Secure Access have been updated for an enhanced interoperability with third party secure web gateways.

    [CSACLIENTS-8501]

Fixed issues

  • Citrix Secure Access fails to bypass the VPN tunnel for the excluded apps, if per-app VPN with reverse split tunneling is enabled.

    [CSACLIENTS-10340]

24.6.1 EPA client for macOS (18 Jun 2024)

What’s new

  • EPA scan to check Citrix Workspace app version

    Citrix EPA client supports a new scan, “CWA Version”, that verifies the Citrix Workspace version on macOS machines. For details about the supported EPA scans, see Expression strings.

    [AAUTH-4918]

V24.04.1 (18 April 2024)

What’s new

  • EPA libraries are updated to 24.04.1.0 (OPSWAT OESIS library V 4.3.3503.0).

    [CSACLIENTS-9559]

  • This release addresses some issues to improve the overall performance and stability.

V24.03.1 (14 Mar 2024)

What’s new

  • EPA libraries are updated to 24.03.1.0 (OPSWAT OESIS library V 4.3.3460.0).

  • Automatic single sign-on (SSO) to Citrix Secure Access through Citrix Workspace app - Preview

    Citrix Secure Access for macOS now supports automatic single sign on (SSO) to Citrix Secure Access when you log on to Citrix Workspace app. Ensure that you use Citrix Secure Access for macOS 24.03.1 and Citrix Workspace app for Mac 2402 and above, to leverage this functionality. This feature is supported only on cloud stores and not for on‑premises stores.

    [CSACLIENTS-6321]

  • Overall performance and stability improvements

    Citrix Secure Access client is enhanced with the following capabilities to improve the overall performance and stability:

    • An increase in the number of the simultaneous connections that can be tunneled through a VPN. This is applicable only to iOS clients.
    • An improved VPN connection resiliency with IPv6 gateways. This is applicable to both macOS and iOS clients.

    [NSHELP-36903]

V24.02.1 (15 Feb 2024)

What’s new

  • Support for EPA scan operators on Mac clients

    Citrix Secure Access client for macOS now supports all the operators <, >, >=, <=, ==, and != on the EPA editor. Also, the Mac OS option is available as a separate option on the EPA editor (Mac > Mac OS). You can perform a product version scan of your macOS devices using these operators.

    For details, see the Note section in Advanced Endpoint Analysis scans.

    [CSACLIENTS-6462]

  • EPA libraries are updated to 24.1.2.1 (OPSWAT OESIS library V 4.3.3405.0).

    [CSACLIENTS-8520]

  • This release addresses some issues to improve the overall performance and stability.

24.1.5 EPA client for macOS (12 Feb 2024)

What’s new

  • EPA support for Mac devices with Apple silicon processor

    Citrix EPA client now supports Mac devices that use the Apple silicon processor. Mac devices no longer require Rosetta to be installed to run the Citrix EPA client.

    [CSACLIENTS-8731]

  • Support for EPA scan operators on Mac clients

    Citrix EPA client for Mac now supports the operators (<, >, >=, and <= ) in the EPA expressions. Admins can configure EPA scans to allow a wide range of OS versions.

    For example, to allow the OS versions from 12.4 to 13.0, except 12.8, admins can configure the expression version >= 12.4 && version <= 13.0 && version != 12.8. This means that the macOS version must be from 12.4 to 13.0 but cannot be 12.8.

    For details, see Advanced Endpoint Analysis scans.

    [CSACLIENTS-6462]

V23.12.2 (20 Dec 2023)

What’s new

This release addresses issues to improve the overall performance and stability.

V23.12.1 (06 Dec 2023)

What’s new

  • EPA libraries are updated to 23.11.1.5 (OPSWAT OESIS library V 4.3.3318.0).

    [CSACLIENTS-8516]

  • This release addresses other issues to improve the overall performance and stability.

V23.11.2 (01 Nov 2023)

What’s new

EPA libraries are updated to 23.11.1.1 (OPSWAT OESIS library V 4.3.3279.0).

[CSACLIENTS-8515]

V23.11.1 (27 Oct 2023)

What’s new

  • Citrix SSO for iOS is now renamed to Citrix Secure Access. We are updating the UI screenshots in our documentation to reflect this name change.

  • EPA libraries are updated to 23.10.1.1 (OPSWAT OESIS library V 4.3.3246.0).

  • This release addresses the following:

    • Connection issues with the Citrix Secure Private Access environment.
    • Other issues to improve the overall performance and stability.

V23.10.2 (17 Oct 2023)

This release addresses the IPv6 login issues.

V23.10.1 (09 Oct 2023)

What’s new

  • EPA libraries are updated to 23.9.1.2 (OPSWAT OESIS library V4.3.3221.0).

  • Support for Local LAN access

    Citrix Secure Access for macOS / Citrix SSO for iOS now support the Local LAN access functionality of NetScaler Gateway. You can configure local LAN access so that once a VPN connection is established, end users are either allowed to or blocked from accessing local LAN resources on their client devices. For more information, see the following:

V23.09.1 (07 Sep 2023)

Important:

If you are using the latest Apple OS versions such as macOS 14/iOS 17 and later, then we recommend that you upgrade to Citrix Secure Access client/Citrix SSO version 23.09.1 or later. For more information about the NetScaler Gateway client software requirements, see Citrix Secure Access client system requirements.

What’s new

  • EPA libraries are updated to 1.3.9.9 (OPSWAT OESIS v4.3.3160).

    [CSACLIENTS-6547]

  • Secured connection insights on the UI

    On the “Connections” screen of the Citrix Secure Access client UI, you can view the secured connection details. The details include the IP address, FQDN, destination port, and the duration of the connection. For more information, see Secured connection insights.

    [SPA-2364]

  • Reauthenticate with NetScaler Gateway after a VPN connection failure

    Citrix Secure Access client for macOS and Citrix SSO for iOS now prompt you to reauthenticate with NetScaler Gateway when a VPN connection is lost. You are notified on the UI indicating that the connection to NetScaler Gateway is lost and that you must reauthenticate to resume the connection. For more information, see:

    [CSACLIENTS-6071]

V23.08.1 (24 Aug 2023)

What’s new

  • This release addresses issues that help to improve overall performance and stability.

  • EPA libraries are updated to 1.3.9.9 (OPSWAT OESIS v4.3.3122).

23.7.6 EPA client for macOS (10 Aug 2023)

This release addresses issues that help to improve overall performance and stability.

V23.07.1 (17 Jul 2023)

What’s new

  • Various options to share log files

    The “Email Logs” option in Citrix SSO for iOS is now replaced with the “Share Logs” option. The compressed log files can now be shared through options such as email, chat, save to files, and so on.

    For more information, see Send logs.

    [CSACLIENTS-3834]

  • Enhancements to Logs page

    The Logs page of Citrix Secure Access for macOS is enhanced with the following options:

    • Maximum number of log files: Specify the maximum number of log files that you want to add for log collection.
    • Email logs: Send the logs over email.

    For more information, see Send logs.

    [SPA-2365]

Fixed issues

When connecting to VPN, if you are prompted to select a certificate for authentication, then the authentication login screen appears behind the Citrix Secure Access client’s home page.

[CSACLIENTS-455]

V23.06.1 (07 Jun 2023)

What’s new

  • Help menu on the navigation bar

    A Help menu is now added to the navigation bar of the Citrix Secure Access client. The options (Open Logs, Export Logs, Email Logs, and Clear Logs) in the Help menu can be used for debugging logs.

    An Email Logs option is introduced under the Help menu. It can be used to share the logs over email. For more information, see Send logs.

    [SPA-2361]

Fixed issues

In some cases, the DNS short name resolution fails on Citrix Secure Access for macOS and Citrix SSO for iOS.

[NSHELP-34568]

Known issues

In some cases, the excluded routes in reverse split-tunneling are tunneled.

[CGOP-24575]

V23.05.2 (11 May 2023)

Fixed issues

After an upgrade, the Citrix SSO for iOS client devices cannot establish per-app VPN connections.

[NSHELP-35224]

V23.05.1 (04 May 2023)

What’s new

  • EPA libraries are updated to 1.3.9.3 and OPSWAT libraries are updated to 4.3.2987.

  • Support for sending events to Citrix Analytics

    Citrix Secure Access for macOS now supports sending events such as session creation, session termination, and app connection to Citrix Analytics service. These events are then logged in the Secure Private Access service dashboard.

    [SPA-2197]

Fixed issues

  • When the users are connected to Citrix Secure Access or Citrix SSO, the “Connection Duration” field fails to display the time in the region-specific format.

    [CGOP-23587]

V23.04.1 (04 Apr 2023)

What’s new

  • EPA libraries are updated to 1.3.9.1 and OPSWAT libraries are updated to 4.3.2923.

V22.12.2 (27-Feb-2023)

What’s new

  • EPA libraries are updated to 1.3.8.9 (OPSWAT OESIS v4.3.2892.0).

V22.12.1 (07-Dec-2022)

This release addresses issues that help to improve overall performance and stability.

V22.11.1 (29-Nov-2022)

Fixed issues

  • Transfer logon does not work for non-nFactor authentication with on-premises gateways.

    [CGOP-22729]

22.11.3 EPA plug-in for macOS (28-Nov-2022)

Fixed issues

  • Citrix EPA plug-in for macOS crashes when GSLB is enabled on NetScaler.

    [CGOP-22722]

V22.10.1 (17-Nov-2022)

What’s new

  • The Citrix Endpoint Analysis plug-in now supports new MAC address validation expression where pattern sets can be created for the list of allowed IP addresses.

    [CGOP-22095]

Fixed issues

  • Sometimes, empty proxy settings in NetScaler Gateway release 13.0 or 13.1 causes Citrix SSO to create improper proxy settings.

    [NSHELP-31970]

  • Sometimes, VPN clients fail to reconnect after a network outage or after the device wakes up from sleep mode.

    [NSHELP-32483]

  • Sometimes, gateway connections fail when using IPv6 literals as the destination.

    [NSHELP-32876]

22.10.1 EPA plug-in for macOS (27-Oct-2022)

What’s new

  • The Citrix Endpoint Analysis plug-in now a supports new MAC address validation expression where pattern sets can be created for the list of allowed IP addresses.

    [CGOP-22098]

  • The Citrix Endpoint Analysis plug-in sends duplicate consent alerts while handling private network access preflight requests from Google Chrome.

    [CGOP-21751]

V22.06.1 (20-Sep-2022)

What’s new

  • EPA libraries are updated to 4.3.2523.0 (1.3.7.5)

Fixed issues

  • nFactor authentication with EPA scan does not work on the macOS clients.

    [NSHELP-32182 - macOS]

  • On the Secure Access Agent home page for macOS, extra padding with white or black color appears on the left and top of the hamburger menu depending on the selected theme (light or dark).

    [CGOP-19353 - macOS]

  • When logging into the VPN, the WebView window minimizes on the first try if the device certificate is configured.

    [CGOP-19354 - macOS]

  • Endpoint analysis does not work for the Citrix Secure Access app on the macOS client when GSLB is enabled on the NetScaler appliance.

    [CGOP-21634 - macOS]

  • If there is a space in the configured application name and you try to access the app, the Enhanced Security Enabled popup does not show up on the macOS clients.

    [ACS-2632 - macOS]

  • nFactor authentication with an optional client certificate fails when there are no appropriate client certificates on the device.

    [NSHELP-32127 - iOS]

  • On a Mac device using Chrome, the VPN extension crashes while accessing two FQDNs.

    [NSHELP-32144]

  • Citrix Secure Access crashes when an incorrect location value is received from the gateway. This can happen if the administrator defines a responder policy to redirect to another host.

    [NSHELP-32312]

  • Direct connections to the resources outside of the tunnel established by Citrix Secure Access might fail if there is a significant delay or congestion.

    [NSHELP-31598]

V3.2.4.9 - EPA plug-in for macOS (01-Aug-2022)

Fixed issues

  • Citrix Endpoint Analysis plug-in does not handle private network access preflight requests from the Google Chrome browser version 104.

    [CGOP-20709]

  • Citrix Endpoint Analysis plug-in for macOS does not support GSLB.

    [CGOP-21543]

Known issues

  • Citrix Endpoint Analysis plug-in for macOS displays a duplicate consent dialog box when started from the Google Chrome browser version 104. The users have to accept both the prompts.

    [CGOP-21751]

V22.03.1 (14-Jun-2022)

What’s new

  • EPA libraries are updated to 4.3.2393.0.

Fixed issues

  • An extra DNS domain is added to the search list. This is because, when the split tunnel is set to “Split” or “Both” only the specified domains and their subdomains are NOT tunneled. If the specified domain is A.B.C, then B.C is also matched in addition to A.B.C and *.A.B.C.

    [CGOP-21657]

  • HTTP/HTTPS proxy settings that do not use a PAC file are broken.

    [CGOP-21660]

V22.02.3 (24-Mar-2022)

What’s new

  • Citrix Secure Access for macOS resolves the FQDN of a service node on every TCP data connection from the client for the cloud workspace connections. Resolving the FQDN of a service node on every TCP data connection is not applicable for the on-premises gateway connections.

    [ACS-1068]

Fixed issues

  • Sometimes, the Citrix Secure Access for macOS drops connections because of issues with some non-DNS protocols using port 53, such as STUN.

    [NSHELP-31004]

  • The Citrix Secure Access app breaks some protocols when the server sends data before the client, immediately after the connection is established.

    [NSHELP-29374]

  • If the user closes the authentication window of the Citrix Secure Access client for macOS without completing the authentication, then subsequent attempts to connect to the server fail until the app is restarted.

    [ACS-2415]

  • The Citrix Secure Access client for macOS is now bundled with OPSWAT library version 4.3.2367.0

    [NSHELP-30802]

  • Citrix Secure Access for macOS takes a longer time than expected to run the post-authentication EPA check.

    [NSHELP-29118]

Known issues

  • Citrix Secure Access app for macOS logs out one minute after the already connected Citrix Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

    [ACS-2715]

V22.02.2 (15-Feb-2022)

Fixed issues

  • Multiple pop-ups are displayed when a user tries to access an unsubscribed Web app from Citrix Secure Access for macOS.

    [ACS-2406]

V22.01.1 (08-Feb-2022)

Fixed issues

  • Per-App VPN connections with Citrix SSO for iOS devices fail to connect to NetScaler Gateway on ports other than 443.

    [NSHELP-30653]

V1.4.1 (28-Jan-2022)

what’s new

  • The Citrix SSO app for macOS is now rebranded as Citrix Secure Access.

    [ACS-1092]

Fixed issues

  • Client certificate authentication fails if the authentication server requests for the client certificate multiple times in the same web view session.

    [CGOP-20388]

  • Citrix SSO fails to establish a VPN connection if the server certificate has only an IP address for common name because of a proxy in between the client and the ADC.

    [CGOP-20390]

  • EPA scan for checking the antivirus last full system scan fails on macOS.

    [NSHELP-29571]

  • Sometimes, the Citrix SSO app crashes while handling large DNS packets.

    [NSHELP-29133]

V1.4.0 (17-Nov-2021)

Fixed issues

  • Sometimes, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

    [NSHELP-28942]

  • Citrix SSO fails to re-establish the VPN connection after network disruption.

    [CGOP-19988]

V1.3.13 (05-Nov-2021)

Fixed issues

  • You might experience failures when filtering sessions for managed versus unmanaged VPNs. The initial requests to establish the session are missing the “ManagedVpn” information in the User-Agent header.

    [CGOP-19561]

V1.3.12 (21-Oct-2021)

Fixed issues

  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [NSHELP-28551]

  • The Citrix SSO app crashes intermittently when receiving notifications.

    [CGOP-19363]

  • The VPN extension might crash when the “isFeatureEnabled” parameter is called to check a feature flag.

    [CGOP-19360]

  • The gateway VPN extension crashes if the DTLS protocol has an empty payload.

    [CGOP-19361]

  • The SSO app crashes intermittently when the device wakes up from the sleep mode and the VPN is connected.

    [CGOP-19362]

V1.3.11 (17-Sep-2021)

Fixed issues

  • EPA scan for firewall check fails for macOS devices using Citrix SSO.

    [CGOP-19271]

  • Citrix SSO crashes in an iOS 12 device when legacy authentication or Intune Network Access Compliance (NAC) is configured.

    [CGOP-19261]

V1.3.10 (31-Aug-2021)

What’s new

  • Citrix SSO for macOS is now bundled with OPSWAT library version 4.3.1977.0.

    [NSHELP-28467]

V1.3.9 (13-Aug-2021)

Fixed issues

  • On some systems with HTTP proxy software installed, the NetScaler Gateway IP address shows up internally as 127.0.0.1 thus preventing tunnel establishment.

    [CGOP-18538]

  • The setting “Block Untrusted Servers” does not work on systems that support non-English localization of Citrix SSO for iOS.

    [CGOP-18539]

  • Citrix SSO cannot connect to systems where the DNS name does not match the common name in the server certificate. Citrix SSO now checks for the subject alternative names, and connects correctly.

    [NSHELP-28348]

V1.3.8 (07-Jul-2021)

What’s new

  • Citrix SSO for macOS is compatible with versions 10.15 (Catalina) and higher only.

    [CGOP-12555]

  • Starting from Citrix SSO for macOS version 1.3.8, the EPA libraries are embedded within the app and are not downloaded from the NetScaler Gateway server. The current embedded EPA library version is 1.3.5.1.

    [NSHELP-26838]