Citrix Secure Access clients and supported features
Important:
Citrix SSO for iOS/Android is now called Citrix Secure Access. We are updating our documentation and the UI screenshots to reflect this name change.
The legacy VPN client was built using Apple’s private VPN APIs that are now deprecated. VPN support in Citrix Secure Access client for macOS/iOS is rewritten using Apple’s public Network Extension framework. NetScaler Gateway plug-in and VPN for iOS and macOS are no longer supported. Citrix Secure Access for iOS/macOS is the recommended VPN client to be used.
General availability of nFactor authentication support for Android devices would be available in one of the upcoming releases.
System requirements
Citrix Secure Access client as a desktop app is supported for the following operating systems and web browsers.
| Supported operating systems | Supported versions | Supported browsers | Supported deployments |
|---|---|---|---|
| macOS | 12.x (Monterey), 13.x (Ventura), 14.x (Sonoma), and 15.x (Sequoia) | Safari 7.1-18.1; Google Chrome Release 30 or later; Mozilla Firefox Release 30 or later | NetScaler Gateway and Citrix Secure Private Access |
| Windows | Windows 10 and Windows 11 | Google Chrome Release 30 or later; Mozilla Firefox Release 24 or later; Edge Chromium
|
NetScaler Gateway and Citrix Secure Private Access
|
| Windows Server | Windows Server 2016, Windows Server 1709, Windows Server 1803, and Windows Server 2019 | ||
| Ubuntu | 18.04, 20.04, and 22.04 | Mozilla Firefox Release 44 and above; Google Chrome 50 and above | NetScaler Gateway and Citrix Secure Private Access |
Note:
Currently, Citrix Secure Access client and Citrix EPA client for Ubuntu support only the default GNOME display manager.
Citrix Secure Access client as a mobile app is supported for the following operating systems.
| VPN app | Supported versions | Supported deployments |
|---|---|---|
| Android | Android 12, Android 13, Android 14, and Android 15 | NetScaler Gateway |
| iOS | iOS 13, iOS 14, iOS 15, iOS 16, iOS 17, and iOS 18 | NetScaler Gateway |
Note:
If you are using the latest Apple OS versions such as macOS 15/iOS 18 and later, then we recommend that you upgrade to Citrix Secure Access client version 24.09.1 or later.
Supported features
Citrix Secure Access client features supported in NetScaler Gateway
The following table lists some of the commonly used features supported for each VPN client.
| Feature | Citrix Secure Access for Windows | Citrix Secure Access for Linux | Citrix Secure Access for macOS | Citrix Secure Access for iOS | Citrix Secure Access for Android |
|---|---|---|---|---|---|
| Always On (user mode) | Yes (11.1 and later) | No | No | No | Yes (via MDM) |
| PAC file | Yes (12.0 and later) | No | Yes | Yes | No |
| Client proxy support | Yes | No | No | No | Yes. See note 1 |
| Max limit of Intranet Applications | 512 | 128 | No limit | No limit | No limit |
| Intranet IP (IIP) support | Yes | Yes | Yes | Yes | Yes |
| Split tunnel ON | Yes | Yes | Yes | Yes | Yes |
| Split tunnel reverse | Yes | Yes | Yes | Yes | Yes. See note 5 |
| Split DNS REMOTE | Yes | Yes | Yes | Yes | Yes. See note 6 |
| Split DNS BOTH | Yes | No | Yes | Yes | Yes. See note 6 |
| FQDN based split tunnel | Yes-Only ON (13.0 and later) | No | Yes | Yes | Yes. See note 5 |
| Client idle timeout | Yes | No | Yes | No | No |
| Endpoint analysis | Yes | Yes | Yes | No | No |
| Device certificate (classic) | Yes | No | Yes | No | No |
| nFactor authentication | Yes (12.1 and later) | Yes | Yes | Yes | Yes. See note 3 |
| EPA (nFactor) | Yes (12.1 and later) | No | Yes | No | No |
| Device certificate (nFactor) | Yes (12.1 and later) | No | Yes | No | No |
| Push notification | Yes (12.1 and later) | No | No | Yes | Yes |
| OTP token autofill support. See note 2 | No | No | No | Yes | Yes |
| TLS 1.3 support | Yes | Yes | Yes. See note 7 | Yes. See note 7 | Yes |
| DTLS support. See note 4 | Yes (13.0 and later) | No | Yes | Yes | No |
| HTTPOnly cookies | Yes | Yes | Yes | Yes | Yes |
| Global server load balancing (GSLB) | Yes | Yes | Yes | Yes | Yes |
| Local LAN access | Yes | No | Always enabled | Always enabled | No |
Note:
- Setting a proxy in the client configuration on the VPN virtual server in the gateway configuration for Android 10 and later is supported. Only basic HTTP proxy configuration with IP address and port is supported.
- Only QR code-scanned tokens are eligible for auto filling. Auto filling is not supported in the nFactor authentication flow.
- nFactor authentication support for Android devices is under preview and the feature is disabled by default. Contact NetScaler support for enabling this feature. Customers must provide their NetScaler Gateway’s FQDN to the support team for enabling nFactor authentication for Android devices.
- For details, see Configure DTLS VPN virtual server using SSL VPN virtual server.
- FQDN-based split tunnel support and reverse split tunnel for Android devices is under preview and the feature is disabled by default. Contact NetScaler support for enabling this feature. Customers must provide their NetScaler Gateway’s FQDN to the support team for enabling it for Android devices.
- For Split DNS BOTH mode, DNS suffixes must be configured on the gateway and only DNS A record queries ending in those suffixes are sent to the gateway. Rest of the queries are resolved locally. Citrix Secure Access for Android also supports Split DNS LOCAL mode.
- TLS 1.3 is disabled by default in the Citrix Secure Access client for macOS and iOS. If required, contact Citrix Support.