Upcoming Removal of MMC-based Studio. As part of our transition to Web Studio, the MMC-based Studio will be removed from the CR 2511 installer. This change establishes Web Studio as the single management console, providing administrators with a consistent experience, modern interface, streamlined workflows, and enhanced capabilities.

The deprecation of MMC-based Studio was first announced in the 2411 release. We recommend transitioning to Web Studio to take advantage of its updated features and intuitive design.

This feature brings an exciting new capability to Studio App Packages enabling discovery and assignment for elastic app layers.

With this feature you can:

• Configure Studio App Packages to discover and enumerate a library of elastic app layers which were authored using Citrix App Layering.
• Create assignment policies for delivering the apps elastically to any of your non-persistent machine catalogs.
• Elastic app layers are "portable" and can be assigned to users logging into any non-persistent Windows machine, regardless of the version of the Windows OS, or whether or not the image was published from an App Layering appliance.

The enhanced log collection and reporting capabilities for Citrix Endpoint Management (CEM) clients include:

• Quicker identification and resolution of issues.
• Streamlined troubleshooting processes.
• Improved support and assistance.

These enhancements are designed to improve the overall user experience for CEM clients by making IT support team more efficient and effective.  

Learn more about this feature in our product documentation here. 

The XenMobile Server now includes a new property, 'ios.mdm.minimum_os_version.enrollment', which enforces a minimum OS version requirement to complete setup on devices using Automated Enrollment. This feature ensures that only the devices running on iOS 17 or later can complete the enrollment process, while enhancing security and compatibility. By default, this property is set to 'True'. 

Learn more about this feature in our product documentation here.

Using Full Configuration, you can now change the size of MCS-provisioned VMs in Azure environments. The feature applies to both persistent VMs and non-persistent VMs.

In Google Cloud environments, you can now browse and use global or regional customer-managed encryption-key (CMEK) from all projects that are accessible to the service account. This feature enhances the flexibility to manage encryption keys. This feature requires extra permission for host connection to browse key outside the provisioning project. 

The VDA Upgrade Service has a new tab with three new options, giving admins more control over their VDA upgrades.

• Exit on error - set a failure threshold that, if met, will pause upgrades for the selected VDAs
• Scheduled duration - set a duration for the VDA upgrades to take place, staggering the VDA upgrades throughout the duration
• Upgrade when sessions are disconnected - enable VDA upgrades if a user has a disconnected session to the VDA

We're adding the Service Principal feature to eventually replace Secure Client usage for Citrix Cloud automation. This new feature enhances security on Citrix Cloud by de-coupling rights and visibility from the creating admin, supporting secret key expiration, and enabling the use of multiple secret keys to facilitate key rotation workflows. This feature will also provides the ability to migrate existing secure clients to service principals without disrupting existing automation.

Documentation link: https://developer-docs.citrix.com/en-us/citrix-cloud/citrix-cloud-api-overview/get-started-with-citrix-cloud-apis.html 

The Return to Service feature in iOS 17 is a new feature designed to streamline device management for IT administrators. With the ios.mdm.return.to.service property set to True by default, this feature can be utilized for iPhones and iPads running iOS 17 or later.

This feature enhances the Erase command from MDM/UEM servers by allowing it to include additional parameters that automate several critical processes. It enables devices to automatically reset to factory settings and securely wipe all data, ensuring that sensitive information is completely erased. Additionally, the feature allows devices to automatically connect to a specified Wi-Fi network, eliminating the need for manual intervention and reducing errors.

One of the key advantages of the Return to Service feature is its ability to automatically re-enroll devices into the MDM/UEM server. Once reset and connected to Wi-Fi, devices will rejoin the management system, ready for configuration and use according to the organization's policies and requirements.

Learn more about this feature in our product documentation here.

Terms and Conditions are now displayed during the Device Enrolment Program (DEP) and ensure users have access to all required details, providing the following enhancements:

• User awareness and agreement to policies, maintaining adherence to company standards.
• Seamless and transparent enrollment process during DEP, reducing confusion and ensuring that users are fully informed.
• Operational efficiency by eliminating the need for distributing "paper T&C," streamlining the process and saving time for both users and administrators.
• Modern digital practices, enhancing the overall efficiency and professionalism of the device rollout process.

Learn more about this feature in our product documentation here.

Experience specific settings for different user groups

Administrators can now manage settings for specific user groups, rather than uniformly applying them across all store users. Within Global App Configuration service (GACS), you can use Configuration profile to identify a collection of user groups and manage settings for them according to your requirements. Similarly, you can create multiple configuration profiles, thereby bringing up the advantage that you can apply specific experiences to different user groups.

Learn more about the feature here.

Support to block or restrict Apple Intelligence for iOS: In Restriction policy for iOS, the following new settings are added to block access to Apple Intelligence (AI) or restrict some of the new features. These settings are applicable for iOS versions 18 and later. Default is On. For more information, see Restrictions Policy. 

• Genmoji
• Image Playground
• Image Wand
• iPhone Mirroring
• Personalized Handwriting Results
• Writing Tools

Support to block or restrict Apple Intelligence for macOS: In Restriction policy for macOS, the following new settings have been added to block access to Apple Intelligence (AI) or restrict some of the new features. These settings are applicable for macOS versions 15 and later. Default is On. For more information, see Restrictions Policy. 

• Image Playground
• iPhone Mirroring
• Writing Tools

In AWS environments, you can create an MCSIO enabled MCS machine catalog. This feature is supported only for non-persistent machine catalogs. MCSIO improves the boot performance of VMs by leveraging two stages of caching technology from MCS. The following MCSIO functionalities are supported:

• WBC disk size
• WBC disk storage type
• WBC memory size
• Persistent OS disk
• Persistent WBC disk

 Learn more.

When creating a catalog in AWS environments, admins can now select a master image (AMI) with NitroTPM and/or secure boot enabled. Accordingly, MCS will provision VMs in the catalog to also have NitroTPM and/or secure boot enabled.

For more information about this feature, see https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/machine-catalogs-create/create-machine-catalog-aws#enable-nitrotpm-and-uefi-secure-boot-for-vm-instances. 

Check our new configuration guide that allows you to review critical configurations that can improve the performance of Local Host Cache and Service Continuity and help minimize disruption during network disruptions or cloud outages. Learn more.

The Session Recording service is now available for provisioning in Citrix Cloud Japan. For more information, please refer to our product documentation.

Check our new configuration guide that allows you to review critical configurations that can improve the performance of Local Host Cache and Service Continuity and help minimize disruption during network disruptions or cloud outages. Learn more.

The  PVS Configuration Wizard enumerates all database instances looking for potential PVS instances which can can take time if a customers has a lot of DB instances.  With this feature, PVS will remove and allow admins to enter the database instance manually, and it would greatly improve customers experience when setting up new farms and upgrading. 

With this feature, in AWS virtualization environments, you can use a "Follow-Me" tag that will be applied to a static single-session OS VM identifying the user assigned to the particular machine.

The Follow-me tag can then be used by an IT chargeback system for determining individual user or business unit (BU) consumption based on aggregating the tag with other tags containing the same assigned user and/or users in the same BU.

In the Restriction policy, a new setting, Preserve eSIM on Erase, is introduced to ensure the eSIM is retained when the device is erased due to excessive failed password attempts or when using the "Erase All Content and Settings" option in Settings > General > Reset. This setting is available for iOS versions 17.2 and later, with the default set to Off.

For more information, see Restrictions device policy.

Custom URLs are customer-defined hyperlinks that links to specific websites. Administrators can set up custom URLs according to their preferences on Workspace UI. This feature helps users to easily access specific websites simply by clicking the custom URLs defined by the administrators. There is no need to enter the URLs manually each time, making navigation to websites effortless and faster.

Learn more about the feature here.

This feature enables sharing prepared image to different subscriptions and tenants on Azure. This enables an admin to use a single image to create and update multiple catalogs across different Azure subscriptions and tenants.

Citrix Endpoint Management delivers a unified platform experience by offering consistent navigation across Citrix products for users logging in from Citrix Cloud. This feature relocates the navigation bar within the overall user interface and introduces a new left-side navigation bar. Some of the key features are as follows: 

• Operational efficiency:
  • Access key services directly
  • View recent activity at a glance
  • Quick links to actions within the product

• Educational hub:
  • Citrix roadmap
  • Upcoming events
  • Quick links to training, community resources, and technical documentation

• Improved navigation:
  • Consistent look and feel across all Citrix solutions
  • Simplified navigation with breadcrumbs and a page path
  • Customizable features like pinning

Conditional authentication allows administrators to configure multiple identity providers (including multiple instances of the same identity provider type) in Citrix Cloud. Administrators can then establish the set of conditions under which those identity providers are used for authenticating users.

Conditions will initially include:

• Domain and UPN
• Group membership
• Workspace URL

Links:

• Tech preview documentation available here: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/conditional-authentication
• Blog: https://www.citrix.com/blogs/2024/08/02/introducing-native-conditional-authentication-to-citrix-cloud/ 

In the Control OS Update device policy, a new radio button named Install ASAP is added in the OS update options for iOS. This feature allows you to install the previously downloaded OS updates immediately for iOS devices. For more information, see Control OS Update device policy for iOS.

In Restriction policy, a new setting Web Distribution apps has been added to block the web distributed third party apps on iOS devices. This setting is applicable for iOS versions 17.5 and later. Contact your admin to enable this feature if needed.

Learn more about this feature in our product documentation here.    

Citrix Endpoint Management now supports group-based identity authentication for accessing its services through Azure Active Directory (AAD) and SAML identity providers. This update ensures that administrators can manage access at the group level using AAD group membership, offering flexibility and enhanced security. The legacy Citrix Identity login mechanism remains available as an alternative. 

Learn more about this feature in our product documentation here.

With this feature, when creating a machine catalog, VMs are not provisioned at catalog creation time, but rather the first time VMs are powered on. For non-persistent catalogs, the OS disk is deleted when the VM power state is set to Off, and recreated when the VM is powered up. The AWS on-demand provisioning feature reduces your storage costs and provides faster catalog creation.

For more information about this feature, see https://docs.citrix.com/en-us/citrix-daas/install-configure/power-management/power-manage-aws-vms#aws-on-demand-provisioning.

This feature bridges the gap between the different management models of XenServer and Citrix Virtual Apps and Desktops. It shows you the impact of changes to your XenServer pool on your Citrix Virtual Apps and Desktops sessions and enables you to manage your environment with confidence and efficiency.

We currently provide the following integrations with Citrix:

• View how VMs hosted on XenServer map to your Citrix environment.
• Receive warnings when actions that you are taking in your XenServer pool might affect Citrix Virtual Apps and Desktops sessions.

For more information, see Citrix Integration.

With the image management functionality, MCS separates the mastering phase from the overall provisioning workflow.

You can prepare an MCS image (Prepared Image) from a single source image and use it across multiple different MCS machine catalogs. This implementation significantly reduces the storage and time costs and simplifies the VM deployment and image update process.

The benefits of using this image management functionality are:

• Generate prepared images in advance without creating a catalog.
• Reuse prepared images in multiple scenarios, such as creating and updating a catalog.
• Significantly reduce catalog creation or update time.

For detailed information on image management, see [Image management | Citrix DaaS|https://docs.citrix.com/en-us/citrix-daas/install-configure/image-management.html] .

With this feature, you can convert an existing MCS provisioned catalog to image-decoupled catalog.

You can create image definitions and versions based on existing master image used by catalog. Using these prepared image versions, you can update existing machine catalogs with the validated image versions. Currently, this feature is applicable to Azure and VMware virtualization environments.

MCS currently offers PowerShell administrators a set of identity management commands primarily for on-premises Active Directory use cases. However, there is a growing demand from our customers to support new identity infrastructures, including Azure AD, Hybrid Azure AD, Intune enrollment, and non-domain joined scenarios. To address this, it is essential to provide a unified set of identity management commands that accommodate all these use cases. This standardization will improve ease of use and readability for administrators.

• New identity management command set with -AcctIdentity: New-AcctIdentity/Add-AcctIdentity/Update-AcctIdentity/Remove-AcctIdentity/ Unlock-AcctIdentity/Get-AcctIdentity/Repair-AcctIdentity and Reset-AcctIdentity
• Retire old commands: New-AcctADAccount/Add-AcctADAccount/Update-AcctADAccount/Remove-AcctADAccount/Unlock-AcctADAccount/Get-AcctADAccount/Repair-AcctADAccount

Citrix Endpoint Management and Mobile Productivity Apps now support Android 15

We're excited to announce that Citrix Endpoint Management and Mobile Productivity Apps are all set to support Android 15, starting with our latest release 24.10.0. Here are the latest releases of Mobile Productivity Apps that support Android 15:

• Secure Hub 24.10.0
• Secure Mail 24.9.1
• Secure Web 24.9.0

Your devices will continue to receive seamless support even after updating to Android 15.

With StoreFront 2411, the new UI is generally available. For more information, see New UI.

MCS has developed a new mechanism for managing on-premises Active Directory and Azure Active Directory (Azure AD) identity service accounts to simplify and enhance the management of machine identities including computer accounts in on-premises Active Directory, Azure AD joined devices and Intune enrolled devices. Firstly, we have introduced on-premises Active Directory service account support which allows administrators to manage computer accounts in on-premises Active Directory without having to enter domain credentials every time. Secondly, we have introduced Azure AD identity Service Principal Names (SPN) support which allows administrators to manage Azure AD joined or Intune enrolled devices in the Azure AD tenant, in a secure and streamlined manner. Lastly, we have implemented a new mechanism for service account management in our Studio, simplifying the process and making it easier to maintain security and compliance. For more information, see Service accounts for machine identity management.

With this feature, in a VMware environment, you can move the disk storage of existing VMs from an old storage to a new storage. During migration, MCS retains VM capabilities such as power management, reset OS disk, and so on. You can also add new VMs to the machine catalog using the new disk storage. For more information, see Storage migration of VMs.

In Azure environments, you can create an MCS machine catalog that supports hibernation. Using this feature, you can suspend a VM, and then reconnect to the previous state of the VM when a user signs in again. For more information, see Create hibernation-capable VMs.

With this feature, you can now enroll Hybrid Entra ID joined non-persistent VMs into Microsoft Intune (with Configuration Manager) for co-management. This feature applies to single and multi-session non-persistent VMs and on all hypervisors, ensuring uniform device management across your infrastructure. To avail the feature, the VDA version must be 2407 or later.

Click here to sign up for the private preview!

Connector Appliance Proxy for WEM and License Server allows Citrix-related traffic from WEM and License Server components to be routed through a Connector Appliance. This simplifies network configuration and enhances security by ensuring Citrix-related traffic has a single point of egress (the Connector Appliance) rather than requiring every component to be granted access to the public internet. The Connector Appliance only allows routing of traffic related to these services. Traffic to other services will be blocked.
 
Connector Appliance Proxy for WEM and License Server is enabled on a Resource Location level. Please provide the resource location name or ID below and wait for confirmation by email. After the feature is enabled, Connector Appliances in the resource location will have the ability to proxy traffic for the selected service on port 3128. For more information see the private preview documentation.

Citrix FAS is currently compatible only with Workspace in the Citrix Cloud commercial and Japan control planes. This means that the benefits of FAS cannot be used by customers using Workspace in the Citrix Cloud Gov control plane. Citrix is developing FAS for use with the Citrix Cloud Gov control plane with Workspace.

Citrix Gateway Service for StoreFront provides secure remote access virtual apps and desktops accessed from StoreFront. You can leverage the scalability and reliability of Citrix Cloud for HDX routing without needing to deploy on-premise infrastructure. Requires StoreFront 2407 or higher. For more information, see Citrix Gateway Service for StoreFront.

Citrix Workspace web extensions for StoreFront help you launch resources in your locally installed Citrix Workspace app without prompts to open Workspace launcher or downloading an .ica file, making your experience safer and more reliable.

End users must install the extension in their Chrome, Edge and Safari web browsers. Alternatively you can deploy them using group policy. For more information, see [Install Citrix Workspace web extension](https://docs.citrix.com/en-us/citrix-workspace/workspace-web-extension/install-workspace-web-extension).

From StoreFront 2407 no configuration is required. For earlier versions of StoreFront you may need to enable this feature using PowerShell. For more information, see [StoreFront documentation](https://docs.citrix.com/en-us/storefront/current-release/install-standard/user-access-options#citrix-workspace-web-extensions )

Citrix Workspace app for Android supports device posture check for the operating system (OS) and app version. This prevents users from signing in to Citrix Workspace app if their OS and app versions don’t match the required versions. If the OS and app version don't match the specified version, users are redirected to the App store for updating to the required version.

Administrators can now manage the installation prompt display for Citrix Workspace web extension. This extension plays a crucial role in ensuring seamless client detection and supporting hybrid launch. By enabling the prompt, Citrix Workspace can check if the extension is present on the user’s device when accessed through a browser. If the extension is not found, users receive a prompt to download and install it.

Learn more about this feature in the product documentation here.

Monitor enhances the limit of OData pagination. All OData v4 endpoints return a maximum of 1000 records per page with a link to the next 1000 records in the response. Because every page returns large data sets, you can get the same amount of total data with lesser OData queries. Thus this feature reduces time to get total data and thus improves the user experience.

Citrix Provisioning 2407 and newer supports Windows Server 2025. You can learn more about system requirements in our product documentation.

DaaS and CVAD support provisioning PVS catalogs to XenServer with PowerShell. To learn more, please reference our product documentation.

Currently, customers must manually update vDisks whenever Daylight Saving Time (DST) changes, as outlined in this Citrix support article https://support.citrix.com/article/CTX200058 . This process can be extremely time-consuming, especially in large implementations with numerous vDisk images. To address this, a solution will be implemented to automate how PVS handles DST, eliminating the need for manual updates.

In VMware environments, previously, you could only change the configuration of an existing machine catalog. The changes did not apply to existing VMs. With this feature, you can now apply the updated configuration to the existing VMs. Currently, the following properties of the existing VMs can be modified:

• VMCpuCount
• VMMemoryMB
• Folder ID
• Subnet mapping
• Hardware version - Machine Profile workflow only
• Machine Profile - Machine Profile workflow only

This feature is applicable to both:

• Persistent and non-persistent VMs
• Legacy and machine profile based workflow

Seamless relaunching disconnected sessions: End users can easily reconnect to disconnected sessions in the Activity Manager by locating the session name and clicking on it. This simple action swiftly restores access to their previous work environment without them having to find the app again and start it.

Session transfer across devices: End users can manage active sessions across devices within the Activity Manager. They can transfer active sessions from other devices onto their current one.

Learn more about the feature in our product documentation here.

When creating a BDM boot disk for an on-prem target, the number of login servers has a hard-coded maximum of 4, with this update, admin can now specify up to 32 login servers when creating BDM disks for UEFI target devices. 

Previously, in AWS environments, the Identity disks (ID) of VMs were of GP2 volume type. With this feature, MCS can now provision VMs with Identity disks of GP3 volume type. As GP3 volume type is the cheapest option offered by AWS, this feature will help save cost.

The feature is applicable only to the VMs added to a new catalog and new VMs added to an existing catalog. Existing VMs created before this feature will continue to have ID disks with GP2 volume type, unless the ID disk is reset.

Hibernate and Resume virtual desktops in Citrix Workspace

Transform your virtual desktop experience using Citrix Workspace's new hibernate and resume feature. This feature allows you to hibernate your virtual desktop when it's not in use, preserving the state of all open applications and sessions. When you're ready to return to work, simply resume your session from where you left off. This feature not only saves time but also saves energy and boosts productivity.

Learn more about the feature in our product documentation here.

Allow PVS Server to be installed on a system running Server Core to reduce attack surface and cost. With this update, PVS will support Windows Server core with  BDM update supported. 

This enhancement will provide new workflows in the App Layering console enabling tagging of layers and layer revisions. Using name:value pairs you can group and organize your layers using custom tags. For customers with many layers this will reduce the time needed to find specific layers, or groups of layers with similar tags. In addition, tags will be stored with the layer data, enabling advanced automation use cases.

The tagging system will enable future advancements in template management and publish, including dynamic assignment of layers to a template and bulk-publish of images based on tags.

In version 2403 or earlier of the App Layering appliance the operating system used is CentOS 7, which is now end-of-life.

New with App Layering 2409 the appliance has been enhanced to run a modern version of Linux. The new appliance provides improved supportability, security compliance, and other benefits.

It is important to note that there is not an in-place upgrade from version 2403 or earlier to version 2409. You will need to download and deploy a new appliance running App Layering 2409, and then migrate your data from the old appliance to the new using the new appliance migration feature.

The migration feature has been added as an upgrade to App Layering 2403 which can be downloaded and installed manually or applied via the auto-upgrade feature within the product. Refer to the upgrade documentation for more information about how to upgrade the appliance.

This feature enables Citrix integration with Nutanix AHV Prism Central (PC) through a Citrix-managed Prism Central host connection.

It allows you to connect Citrix DaaS to Nutanix PC-managed multi-cluster environments in hybrid cloud setups, create machine catalogs, and perform power management, provisioning, and lifecycle management for VMs within those catalogs.

The benefits of using the Citrix-managed Nutanix AHV Prism Central (PC) connection are:

• Enhanced Hybrid Cloud Connectivity: Connects Citrix to Nutanix Prism Central AHV environments in hybrid cloud, including on-premises private clouds, Nutanix Clusters (NC2) on AWS, and NC2 on Azure.
• Multi-Cluster Management: Supports multiple AHV clusters managed by a Prism Central instance under a single host connection.
• Cross-Cluster VM Templates: Supports cross-cluster sharable VM templates as the MCS master image.
• Streamlined TLS certificate trust: Simplifies configuration for TLS certificate trust for new and existing Nutanix Prism Central connections.

This preview feature is currently only available to the Citrix DaaS customers. For more information, see Citrix integration with Nutanix Prism Central on AHV (Preview)

Sorting and filtering for the table columns in Manage > Devices page

The sorting and filtering option will be added to the table columns in the Manage > Devices page of the Citrix Endpoint Management console. This will allow you to apply filters to the table columns which allows you to sort and filter the data and find the information easier and faster.

Mandate end users to authenticate and access apps and desktops through native app

Administrators can mandate the use of the native Citrix Workspace app, eliminating the option for users to access the Citrix Workspace web client. This feature is designed for customers who want to leverage the full benefits of the native app. The native app offers advantages such as built-in App Protection service, no browser version compatibility issues, and enhanced security.

Learn more about this feature in the product documentation here.

This feature enables admins to integrate App Layering workflows for end-to-end automation of app and image delivery including support for popular IoC tools like Packer and Terraform. This feature will provide APIs assist in automating deployments that involve a large number of applications, images, and target user groups.

With the introduction of the Citrix platform, we are committed to delivering a simplified, unified experience that offers zero-trust access, best-in-class app and desktop virtualization, and high-performance application delivery with robust security. We're reinforcing this vision with the following product updates.

The Citrix Cloud platform has redesigned the Home page and standardized the navigation across all solutions. The updated homepage acts as an educational hub for admins, featuring the Citrix platform roadmap, upcoming events, and useful resources. It also showcases recent admin activity and provide quick access to essential services. Navigation enhancements include a consistent look and feel, along with breadcrumbs for improved wayfinding. 

Citrix Endpoint Management and Mobile Productivity Apps now support iOS 18

We're excited to announce that Citrix Endpoint Management and Mobile Productivity Apps are all set to support iOS 18, starting with our latest release 24.9.0. Here are the latest releases of Mobile Productivity Apps that support iOS 18:

• Secure Hub 24.8.0
• Secure Mail 24.9.0
• Secure Web 24.9.0

Your devices will continue to receive seamless support even after updating to iOS 18. Learn more about this feature here.

Support for TLS 1.3 protocol

A new node in the Full Configuration management console allows global administrators to backup components such as machine catalogs, delivery groups, policies, etc. This way, there is always a snapshot of your Citrix configurations ready on standby. If inadvertent changes arise, simply choose a backup, select restore, and you’re up-and-running again with a few clicks.

Support for auto-update of optional apps in iOS

Starting from the XenMobile Server 10.16, a new server property named apple.ios.optional_app_update is added. This property allows you to auto-update the optional apps in iOS. The default value of apple.ios.optional_app_update is set as False. For more information, see Server properties.

For more information about auto-update of optional volume-purchased apps, see Check for the app updates.

Staging link: https://stage-docs.citrix.com/en-us/xenmobile/server/whats-new#support-for-auto-update-of-optional-apps-in-ios

This feature enables the VDA Upgrade Service for customers with VDAs that, for example, may not have internet access due to security requirements. 

For more information regarding Support for VDA Upgrades from a Local File Share, see Manage machine catalogs.

The Manage Configuration Feedback feature allows administrators to obtain feedback on app states from Android devices that are configured with managed configuration policies. This feedback can be used to monitor the effectiveness and status of these policies.

Currently, Citrix provides two 'connectivity check' tools for helping diagnose installation and configuration issues with Cloud Connectors. One of these is the 'built-in' tool run as part of the installer and available on all machines where the Connector is installed. It is a basic tool which runs a limited set of tests. The second is the standalone 'Citrix Cloud Connectivity Check Utility' available from CTX260337, which is a much more sophisticated tool, including checking for installed certificates and validating Active Directory configuration.

This work looks to integrate the standalone connectivity check utility into the built-in tool available with all connector installations, improving the interface and adding additional tests and actions.

The Citrix Optimizer Tool is a critical component for many customers who are deploying non-persistent workspaces and want to ensure they are optimally configured for maximum performance and security.

This enhancement will add a new optional parameter when running Image Portability Service jobs that will run Citrix Optimizer within the image during preparation for the target platform. This will further simplify and automate the process when using IPS to migrate images between on-prem and cloud Resource Locations.

If using Cloud Connectors as part of a Citrix DaaS deployment, the Cloud Connector High Availability service allows for the continued brokering of Connections even during network interruption or service outages. However if Cloud Connectors are not correctly sized for outage mode this can cause launch failures.

With this change, the Cloud Connector installer will introduce a warning in cases where the host Windows machine is under-sized for operation in Local Host Cache mode. For cases where the connector is not being used to broker connections (e.g. for AD connectivity) this warning will not block installation.

The Connector Appliance is currently compatible only with the commercial and Japan Citrix Cloud control planes. This means that the benefits of AD multi-domain connectivity cannot be availed by those customers who use the Gov Citrix Cloud control plane. 

Cloud Connector connectivity failures are often caused by network instability, however this can be hard to troubleshoot without analysing packet traces. With this change, the connectivity check tool built in to the Cloud Connector will contain functionality to capture packet traces during its Connectivity Checks. This will greatly simplify the diagnosing of connectivity failures, removing the need to install additional, highly privileged software on the host.

This behavior change is intended to meet the needs of customers who require that administrator change activities are logged in Citrix Cloud. Previously, no log entries were written when a Citrix Cloud admin changed the "Account name" or "Logo" fields in Home/Account settings/Account details. With this enhancement, both change types generate log entries that are written to Home/System Log.

When a persistent AWS VM is powered off and placed in maintenance mode, you can request to reset the OS disk.  This causes the OS disk to get deleted and recreated from current image prepared from Amazon Machine Image (AMI). For more information on how to use the feature, see https://docs.citrix.com/en-us/citrix-daas/install-configure/machine-catalogs-manage.html#reset-os-disk.

Currently, the Local Host Cache (LHC) misconfiguration alerts that are exposed in the Zones node of DaaS Full Configuration interface provide general information that there is a misconfiguration in the Resource Location. 

With this enhancement, a new PowerShell cmdlet, `Get-ConfigMisconfigurationReport`, will provide a detailed LHC misconfigurations report in the zone. Added details will include information such as which connector is misconfigured, what is the current misconfiguration, and what is the recommended configuration.

The documentation for the misconfigurations can be found here: https://docs.citrix.com/en-us/citrix-daas/manage-deployment/zones.html#troubleshooting.

With this feature, admins will be able to specify store names while adding stores to Citrix Workspace app. Store names make identifying and distinguishing the stores easier for end users. 

t is helpful to use names that are familiar to end users. This makes identification of stores. Currently, the stores are named as "Store", "Store1", "StoreX" by default. 

With the warning and error widget on the Home page, you can view all warning and errors from your DaaS deployments in one place. The widget streamlines issue resolution by consolidating scattered alerts, enhancing visibility, and reducing troubleshooting time.

By default, the Citrix Provisioning uses Kerberos authentication when communicating with the SOAP Service in an Active Directory environment. As part of the Kerberos architecture, it is crucial to register (create a service principal name (SPN)) with the domain controller (Kerberos Key Distribution Center). If the creation of SPN fails, the Kerberos authentication fails, and Citrix Provisioning falls back to using NT LAN Manager (NTLM) authentication.

However, NTLM is highly insecure and vulnerable to attack.

With this enhancement, config wizard will create SPN in the backend. Administrators can run the config wizard to generate the SPN, ensuring that Citrix Provisioning supports Kerberos authentication when NTLM is disabled.  If SPN creation fails, it is likely due to insufficient privileges associated with the current user account. Re-run the config wizard using an account with full admin rights. 

For information, see Support for communicating with SOAP service with NTLM disabled.

With this feature, you can now use the Citrix Virtual Apps and Desktops Setup Wizard to create target VMs on a XenServer 8 host. See Support for XenServer 8.

With this feature, you can now:

• change the default log level of all new target devices in a farm defined in Farm Properties.
• change the log level of an existing collection and all target devices in that collection in just one step.

The log levels that you can set are:

• Off
• Fatal
• Error
• Warning
• Info

For information, see Control levels of target devices logs.

You can now check the logs of the provisioning operations to enable better self-service and reduce the time to resolve the issues. You can do this using the View Logs button available on the following Citrix Provisioning Console wizards:

• Citrix Virtual Apps and Desktops Setup Wizard
• Streamed VM Setup Wizard
• Export Wizard

For more information, see Support for viewing operation logs with all Citrix Provisioning Console wizards.

You can now run the Windows Performance Monitor to gather statistics about the following from the newly added latency counters :

• Average PVS Read Operations/sec
• Average PVS Write Operations/sec
• Average Seconds per PVS Read Operation (covers the entire process of the read request)
• Average Seconds per vDIsk Read Operation (covers the time taken for the disk read done as part of a PVS read)
• Average Seconds per PVS Write Operation (covers the time to process one write request including individual requests in an MIO request)
• Average Seconds per vDisk Write Operation (covers the time to issue a vDisk write at the end of a set of PVS write requests).

Previously, during triage when you search for a user in Director, you get the user details only if the user is from an on-premises site. If the user is from a cloud site, you had to go to Monitor and search again. With this enhanced search functionality, you can search for users from cloud sites or on-premises sites using the Search option in Director. This feature reduces the mean time to resolve issues and provides a seamless experience with a single console without any rapid growth in the size of the database.

Benefits of Director’s enhanced search :

• Reduce Mean Time to Resolution (MTTR) of tickets: Streamline the support experience by eliminating the need to use multiple Director or Monitor consoles to find the relevant user and hence resolve tickets.

• No rapid growth in the size of the database: There is no rapid growth in the size of the database since only the cloud site details are added to Director. User details are saved in the cloud itself.
•  Single console: No additional servers or agents, one console for all tenants and needs. Supports different Citrix sites and versions (LTSR and current releases) within a single web console.

For more information, see Unified search for Hybrid multi-cloud deployments.

The Workspace offline mode feature is optimized in terms of design, behavior, and loading time. The new prompt appears as a pop-up window and is less intrusive as it doesn’t interrupt the ongoing user authentication. Users can either choose offline mode to work and access available apps offline in case of authentication issues or they can continue with their ongoing authentication process. Previously, the offline mode prompt appeared after just 30 seconds while the user was signing in to the store URL, interrupting the flow. However, the enhanced prompt now waits for 60 seconds before appearing and can show up on any webpage, including the sign-in screen and other redirecting pages.

Until now, FAS has only supported RSA keys for use in its certificates. With this change FAS will introduce support for ECC certificates.

Currently, configuring where FAS private keys are stored is handled through the Citrix.Authentication.FederatedAuthenticationService.exe.config XML file as documented here. This has been a pain point for admins to manage and currently is not preserved over FAS upgrades.

With this change, configuration changes to how user and RA certificate private keys are stored will be handled separately, simplified, and preserved over upgrades.

Currently FAS relies on the Microsoft Cryptographic Service Provider (CSP) for cryptographic operations within FAS. This has been replaced with the Microsoft Key Storage provider (KSP) which includes a number of modern cryptographic methods such as probabilistic padding (PSS) and operations for Elliptic Curves (ECC).

For more information about CSP vs KSP please refer to the Microsoft documentation.

Previously, Machine Creation Services (MCS) supported single NIC on Azure. With this feature, you can now create a VM with multiple NICs. You can also associate multiple NICs on a VM to multiple subnets. Please note that the subnets must all reside in the same virtual network (vNet).

If you use the machine profile workflow, NIC properties, such as accelerated networking, in master VM or ARM template spec are captured and copied to the corresponding NIC of the created VM.

You can add or delete NICs based on the maximum number of NICs supported by the VM size. Additionally, the NIC assignment on existing VMs can also be updated.

Public clouds can sometimes run out of capacity for a specific VM size. Also, if you use Azure Spot VMs, then the VMs are evicted at any time based on Azure’s capacity needs. In such a case, MCS can now fall back on the backup VM sizes provided by you. MCS tries to fall back on the backup VM sizes in the order that is provided by you in the list.

Starting with 2407, MMC-based Citrix Studio enters maintenance mode. New features will no longer be added, and any updates will focus on its stability and security through regular bug fixes and security patches. We recommend transitioning to Web Studio, the next generation of Citrix Studio. Web Studio is a web-based management console that offers full feature parity with MMC-based Citrix Studio, along with a modern management experience, enhanced capabilities, and powerful new features. For more information, see Install Web Studio.

The user menu at the top-right of the console includes both account-level and personal settings in one easy-to-use interface.

The information currently displayed in "My Profile" sections was consolidated into one "My settings" page. The "Account settings" reflect account-specific configurations based on the administrator's role.

With the January 2024 Web Studio console release (see the announcement - 4th paragraph), administrators can now manage user assignments for "Managed by Citrix Cloud" delivery groups directly in the Web Studio console. Where previously management of these delivery groups was limited to Library, they now have the same management options in the Web Studio console. This is in production today for all customers.

Administrators can start managing their delivery groups via Web Studio console effective immediately (while still having the ability to do so in Library too). A banner on the Library page notifies customers that we'll be deprecating these apps from the Library in June 2024 and at that time, management will solely be possible via the Web Studio console.

The Session Recording service is expanding to the Asia Pacific South (APS) region. It moves Session Recording management functions to a Citrix Cloud service, providing a unified and streamlined administrative experience. You can expect the following benefits from the service:

• Easy to access
• Simplified operational experience
• Cloud-specific features in addition to on-premises offerings
• Always up to date

For more information, see the Session Recording service documentation.

The Session Recording service moves Session Recording control to a Citrix cloud service, providing a unified administrative experience. You can expect the following benefits from the service:

• Centralized configuration of Session Recording servers
• Simplified configuration of Session Recording policies
• Streamlined playback experience

For more information, see the Session Recording service documentation.

Previously, the drive letter of MCSIO WBC disk was determined by Windows OS and was usually either D or E drive.  With this feature, you can now assign the WBC drive letter from the web Studio console or through PowerShell Provisioning SDK. This avoids any conflict arising because of applications using the specific drive letter.

• For the web Studio console, you can set the drive letter for WBC disk in the Disk Settings page.
• For PoSH SDK, the New-ProvScheme provides a new parameter called WriteBackCacheDiskLetter <Drive Letter>  to specify WBC drive letter.

WBC drive letter is applicable to only new VMs. It cannot be changed once the VM is created.

Use the Network Access Control (NAC) solution to extend the XenMobile device security assessment for Android and Apple devices. The NAC solution uses the XenMobile security assessment to facilitate and handle authentication decisions. After you configure the NAC appliance, the device policies and NAC filters that you configure in XenMobile get enforced. For more information, see Network Access Control.

You can now specify the following attributes for apps installed on iOS devices:

Removable app: Specify whether the app is removable by users when it's a managed app.
Enable associated domain direct download: Specify whether the app can perform the claimed site association verification at the domains directly.
Associated Domains: Specify the associated domains to add to an app.

For more information, see https://docs.citrix.com/en-us/xenmobile/server/policies/app-attributes-policy#ios-settings.

Support for Apple Business Manager for shared iPads

Starting from the XenMobile Server 10.16 release, shared iPads support Apple Business Manager (ABM) with XenMobile Server. This allows you to sign in to the shared iPads using the ABM accounts and use them. For more information, see Configuring shared iPads.

Added new security action named Delete All Users for shared iPads

Starting from the XenMobile Server 10.16 release, a new security action named Delete All users is added for shared iPads in the XenMobile Server. This allows you to delete all the users on the device. For more information, see Security actions for shared iPads.

Take your data security to the next level with Secure HDX. Our advanced end-to-end encryption keeps your HDX sessions safe from snoopers. No matter the network, you can trust that your data stays secure while in transit.

For more information, please refer to the Secure HDX documentation.

Previously, in Azure environment, you could only know whether your host connection credential can connect to a hypervisor. With this feature, you can:

• Get the list of permissions assigned to your host connection credential
• Get the list of operations that can be performed with the permissions assigned
• Information on the permissions required
• Information on how to add the desired permissions

This helps you to troubleshoot and get necessary permissions ahead of time so that you can perform the tasks without being blocked.

Support for Enterprise apps on macOS devices. XenMobile Server has a new property `mac.app.push` which enables the support of Enterprise apps on devices running macOS. The default value of this property is True. For more information, see Server properties.

Added new Knox Platform for Enterprise Key device policy

A new device policy named Knox Platform for Enterprise Key has been added. This policy allows you to provide the required Samsung Knox Platform for Enterprise (KPE) license information and use the KPE licenses to enhance the security of your Samsung device. For more information, see Knox Platform for Enterprise Key device policy.

Support for eSim on iOS devices

XenMobile Server has a new property `ios.esim.support`, which enables the XenMobile Server to get the eSim information from the iOS devices and displays the eSim related device properties on the user interface. The default value of this property is True. For more information, see Server properties.

Added new option "OS updates version" in the OS Update policy for iOS:

In the OS Update policy for the iOS platform, a new option OS updates version is added after the OS update frequency field. This option allows you to specify the OS version to use to update the supervised iOS devices. For more information, see iOS settings.

You can now use the VDA Upgrade Service to update VDAs when you have proxies for internet connectivity and web filtering. The proxy configured in policy takes precedence over the proxy configured in registry. For more information, see Proxy Support for VDA Upgrade Agent. Also, refer to the list of URLs that need to be white listed in the proxy.

Support for installing Citrix Provisioning servers on Windows Server Core

 With this feature, you can now install Citrix Provisioning servers on the system running Windows Server Core. The Server Core option is a minimal installation as opposed to the installation of Server with Desktop Experience. The Windows Server core reduces the potential attack surface to critical infrastructure.

 The benefits of using this feature are:

•   Enhanced security for the Citrix Provisioning Servers.

•   Reduced cost because you can use a smaller VM.

 The current limitations of this feature are:

•   You cannot create target VMs using Citrix Virtual Apps and Desktops Setup Wizard using HDD BDM boot.

•   You cannot do a BDM update using the Citrix  Provisioning Console.

You can now create Citrix Provisioning catalogs using MCS PowerShell commands in VMware. 

This implementation provides you the following advantages:

• A single unified API to manage both MCS and Citrix Provisioning catalogs.
• Have new features for Citrix Provisioning catalogs, such as, identity management solution, on-demand provisioning, and so on.

Improved end user interface performance through caching

Citrix Workspace end user interface now loads faster by leveraging cached data from previous sessions, which results in quicker app openings. The user authentication process runs in the background, consequently saving a delay of 1 to 2 seconds. Caching the Workspace end user interface and parallelizing the loading of app’s user interface with the user authentication process together benefit the quicker opening of the app.

Learn more about the feature in our product documentation here.

To address contextual analysis of performance issues, Session topology in Director/Monitor will be enhanced to show more details on the connecting Gateway service PoPs, Connector and its Resource Locations, Hypervisor hosts in addition to experience improvements. 

This enhancement adds AWS as a supported source platform for IPS, enabling deployment of PVS or MCS master images from AWS, to a different on-prem or cloud environment.

Learn more about this feature here:

https://developer-docs.citrix.com/en-us/citrix-daas-service-apis/image-portability-service/powershell#export-from-amazon-web-services 

Microsoft Teams 2.x has changed its installation method and now installs under C:\Program Files\WindowsApps. This folder is not preserved in the image when modified during packaging for an app layer. Hence, if Microsoft Teams 2.x is installed within an app layer, it is not included in the final published image.

A patch update for App Layering 2403 is now available and can be downloaded at https://www.citrix.com/downloads/citrix-app-layering/product-software/citrix-app-layering-2403.html. The next release of App Layering will include the patch, as well.

https://docs.citrix.com/en-us/citrix-app-layering/4/known-issues#microsoft-teams-2x 

Development to support group based (Azure AD and SAML) administrator access to the Secure Private Access (SPA) service is underway.

When adding an AD administrator group to Citrix Cloud, you'll be able to select permissions from the SPA category to allow access to specific areas of the console.

Citrix Workspace app for Android users can sign in to Azure AD joined VM devices using single sign-on authentication. Users need to provide their Microsoft credentials when signing in to an Azure AD joined VM device for the first time. For subsequent sign-ins, credentials are not required until the token expires.

Support for delivering packaged applications to single-session static desktops and office PCs. With this enhancement, you can now deliver packaged applications to all types of desktops using Full Configuration. Each time users sign in to their single-session static desktops or office PCs, the packages containing those applications are automatically mounted.

For more information, see [Create delivery groups](https://docs.citrix.com/en-us/citrix-daas/install-configure/delivery-groups-create#step-6-applications), [Manage delivery groups](https://docs.citrix.com/en-us/citrix-daas/install-configure/delivery-groups-manage#applications), and [Add applications to delivery groups](https://docs.citrix.com/en-us/citrix-daas/manage-deployment/app-packages#add-applications-to-delivery-groups). 

An Images node is now available in Web Studio, letting you prepare an MCS image (prepared image) from a single source image and deploy it across various MCS machine catalogs. This node facilitates complete image lifecycle management, enabling you to create image definitions, versions, and catalogs. Images prepared using this node can only be used in Azure and VMware environments. Alternatively, you can also create catalogs with prepared images using the Machine Catalogs node.

Support for managing user assignments for Citrix Cloud-managed delivery groups using Full Configuration. As part of our plan to migrate user assignment management from Cloud Library to Full Configuration, you can now manage user assignments for Citrix Cloud-managed delivery groups through Full Configuration. To accomplish this, edit a target delivery group in Full Configuration > Delivery Groups and designate users permitted to use desktops or applications through one of these menus: Desktops (or Desktop Assignment Rules) or Application Assignment Rule. For more information, see [Manage delivery groups](https://docs.citrix.com/en-us/citrix-daas/install-configure/delivery-groups-manage#users).

Note that updates made in one portal will seamlessly synchronize with the other, ensuring consistent updates across both portals.

Administrators with full access can configure how long the Citrix Cloud console is inactive before they are signed out automatically. After configuration, the specified time-out period  applies to all administrators of the Citrix Cloud account. Upon release, this feature will be in a disabled state by default. When enabled, the default time-out is 10 minutes of inactivity. For more information, see Configurable inactivity timeout for console. For the Citrix Cloud Government management console, see Configurable inactivity timeout for console.

Prevent users from uninstalling Secure Hub

Allow Citrix Cloud Full Administrator to submit request to delete their Citrix Cloud account. This functionality also allows them to seamlessly onboard a new Citrix Cloud account when required.

The documentation for this functionality can be found here: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/allow-customers-to-delete-citrix-cloud-account.html

In continuation to the Session launch diagnostics (preview) launched for our DaaS customers, we are happy to provide experience improvements to the preview, making it easier to deduce the causes of Citrix session failures.
Earlier, IT admins using the Monitor tool in Citrix DaaS could use Session launch diagnostics (preview) to search for unique failure errors, i.e. transaction-ID provided by their users. They could get all the logs for the session in a convenient download and then parse through them to spot the offending components and the error codes. They could look up the error code in our documentation to find its description and recommended resolution steps.
We have now improved the functionality in Citrix Monitor, so IT admins now need not parse the logs to deduce potential issues using Session launch diagnostics (preview). We have improved the experience so that, now in Monitor when a search for a failed session's transaction-ID is done:
• We visually show the component(s) involved in trying to establish the session. We highlight the component(s) which failed and show the last generated error code.
• Additionally, now you no longer need to manually look up the error code in our documentation to see remediation details. Now, clicking the "Learn more about the error" link will take you directly to the specific content section.

Distributors will be able to access license usage data for all their partners using the Citrix Cloud API. Distributors will be granted administrator access to their partner accounts using the "Secure Clients" permission and a new License Usage Insights permission specifically for distributors. With these permissions, distributors can use the Citrix Cloud API clients that partners create and share with them to gather partner license usage data. For more information, see Distributor access to APIs in the Citrix Cloud documentation.

This functionality is available for the following components:

• Citrix DaaS
• Citrix Virtual Apps and Desktops

Support for Apple Business Manager for shared iPads

Starting from XenMobile Server 10.15 RP6, shared iPads support Apple Business Manager (ABM) with XenMobile Server. This feature allows you to sign in to the shared iPads using the ABM accounts and use them. For more information, see Configuring shared iPads.

Auto update optional Apps in iOS

Starting from the XenMobile Server 10.15 RP6, a new server property named apple.ios.optional_app_update is added. This property allows you to auto-update the optional apps in iOS. 

For more information, see Server Properties.

For more information about auto-update of optional Volume Purchased apps, see Check for the app updates.

Enforce a minimum OS version

CVAD 2402 VDA is now available in VDA Upgrade Service under the CR track. Try it today!

Easily access Secure Mail from your personal profile

Users can now seamlessly switch to Secure Mail in their work profile right from their personal profile. Simply click on an email address in your personal address book, and you'll see the option to use Secure Mail for your work emails. This feature is convenient for users to send work emails from their personal profile.

Learn more about this feature in our product documentation here.

Admins can now view a summary of the current configuration by clicking the View configured settings button. This feature eliminates the need to expand and review each setting separately. A consolidated list of all the configured settings allows admins to perform a comprehensive review of the current configuration and gauge the user impact. For more information, visit the Global App Configuration service documentation.

Citrix Workspace app offers Client App Management capability that makes the Citrix Workspace app a single client app required on the end point to install and manage agents such as Secure Access Agent, End Point Analysis (EPA) plug-in and 3rd party agents like Zoom and Webex.

Support for using shared images from other tenants to create Azure machine catalogs. When creating Azure catalogs in the Full Configuration interface, you can select shared images from other tenants (shared through the Azure Compute Gallery). This feature requires that you provide shared tenant and subscription information for associated host connections.

With the feature, Citrix Director/Monitor will allow administrators to find ended sessions that was in the last 48 hours to extend troubleshooting beyond active sessions. For ended sessions, the historical correlation of critical performance metrics will be available along with relevant metadata around the session.  

CVAD LTSR 2203 CU4 Update 1 VDA is now available with VDA Upgrade Service CVAD 2203 CU4 Update 1 VDA. Please use the Upgrade Catalog option within your Catalog to update your VDA to the latest CVAD 2203 CU4 Update 1 VDA.

If you have enabled App Layering User Layers or UPL in your non-persistent workspace environments, you are redirecting all of the user data over the network into remotely stored VHD files. Over time, as users write data into their image, the files will grow in size, consuming space on your back-end storage, which increases your total utilization and cost.

Now available in App Layering 2403 is an enhancement to enable user layer storage using the more modern VHDx container format. Moving to VHDx enables the ability to reclaim unused space within the user layer disk, returning it to the pool of available storage. User Layer space reclamation helps to decrease the footprint of enabling this powerful feature, reducing IT costs.

https://docs.citrix.com/en-us/citrix-app-layering/4/layer/enable-user-layers#user-layerupl-space-reclamation

Introducing a new connector type for App Layering that enhances support for publishing layered images to a Windows file share. The Windows file share connector supports offload compositing, enabling modern hypervisor features such as UEFI, Secure Boot, and support for Windows 11 for App Layering images.

The Windows file share connector is now available! Upgrade to App Layering 2403 to take advantage of this powerful new feature.

https://docs.citrix.com/en-us/citrix-app-layering/4/connect/windows-file-share

Reduce the time it takes to analyze slow logons with our new 'Session Logon' tab in Citrix Director and Monitor! Our refreshed Session Logon dashboard enables administrators to gain targeted details around users' logon details broken down by individual phases and an easy to understand representation.

Drill-down into Profile and GPO details and get logon baselines for the selected user and their Delivery Group for quick analysis of slow logons. For more information, visit our product documentation:

In order to maintain the performance of DaaS tenants, starting on September 9th, 2024 configuration log retention will be set to 180 days. Logs older than 180 days on September 9th, 2024 will be deleted. As we keep growing our DaaS limits (https://docs.citrix.com/en-us/citrix-daas/limits.html) for a single DaaS tenant, this will ensure the best performance and resilience for our customers. 

 
As a best practice, we advise customers to have a quarterly export mechanism. This can be done through PowerShell: https://docs.citrix.com/en-us/citrix-daas/manage-deployment/configuration-logging.html#generate-reports. We also recommend customers schedule periodic data deletion: https://docs.citrix.com/en-us/citrix-daas/manage-deployment/configuration-logging.html#generate-reports).

Monitor integration for Local Host Cache (LHC) focuses on pre-outage readiness and post-outage visibility into LHC occurrences along with details. 

A pre-defined alert added to Monitor for consecutive config sync failures on the resource locations for proactive admin troubleshooting.

Monitor integration for Local Host Cache (LHC) focuses on pre-outage readiness and post-outage visibility into LHC occurrences along with details. 

The new Local Host Cache page under Trends will provide historical events around LHC occurrences across all resource locations for admin visibility and audit. 

Administrators can view details around Citrix Profile Management and FSLogix profile containers in addition to the file based profiles within the Session logon breakdown in Director.

Actions - Session Recording

Introducing a new "Session Performance" tab with enhanced troubleshooting workflows starting with the ability to correlate real time metrics in identifying issues within user sessions. 

Citrix administrators can access playbacks of recorded user sessions within the DaaS Monitor console, when Session Recording integration is configured.
Session recording controls and playbacks are available based on the role-based access control (RBAC) permissions assigned to them.

For more details review the Citrix Tech Zone Session Recording PoC Guide  

The new and game changing session topology and network hop view has been introduced as part of Citrix DaaS Monitor and Citrix Director, offering curated and tailored troubleshooting details, essential for help desk administrators and Citrix administrators.

The new and comprehensive view is offering network statistics and session details and relevant for troubleshooting details, which we have collected in feedback sessions with Citrix Service Providers, Citrix Operation Teams, and from Citrix Partners. 

Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services. With this feature, MCS can provision a catalog of VM that supports Azure Monitor Agent. It is enabled through machine profile workflow.

This feature proactively discovers issues related to zones in your deployment so that you can resolve the issues in time before your users are affected. If discovered, the Zones icon contains a warning sign, indicating issues with one or more zones. You can then go to the Troubleshoot tab of each zone to find more information. See Zones.

Many administrators access the Citrix Cloud console to perform specific tasks, such as help desk tasks. Several clicks are required for them to reach their desired destination every single time they sign in. Giving administrators the ability to set or modify a custom landing page saves time and enhances the administrator experience overall. 

All administrators can access their Citrix Cloud console account settings and select the page they'd like to land on after signing in. Check out the blog for more information.

Admins can now prevent users from taking screenshots on their Mobile/tablet devices through third-party Unified endpoint management solutions.

You can find documentation on this feature here: https://docs.citrix.com/en-us/citrix-workspace-app-for-android/mdm#screenshot-detection-and-prevention-through-unified-endpoint-management-solutions

This enhancement adds Nutanix AHV as a supported target platform for IPS, enabling deployment of PVS or MCS master images into Nutanix, from a different on-prem or cloud environment.

This feature is now available, refer to our product documentation here for more information:

https://developer-docs.citrix.com/en-us/citrix-daas-service-apis/image-portability-service/powershell#prepare-image-on-ahv

Previously, when you provisioned a new VM, each new VM had its own new NIC for network communication.  And NIC settings, such as DNS setting, configured in the master image is not reflected in the catalog VM. With this feature, every configured setting in the master NIC would be retained in the provisioned VMs. This feature is only applicable to Hyper-V and Azure VMs.  NIC setting is already retained for other hypervisors

An account's name, which can be modified by full access administrators in Account Settings > Company Account > Citrix Cloud Customer Name, is now displayed in the top right hand corner of the Cloud console next to the administrator's name. 

With this addition, administrators now have an easy way to validate which Cloud account they are actively in prior to making impactful changes to the environment.

Currently, if a Connector (Windows Connector or Connector Appliance) loses connectivity to Citrix Cloud, it can take up to 3 hours for an alert to be raised through the Citrix Cloud console. With this change that interval will be reduced to 15 minutes.

Often, customers need to apply specific optimizations to their images after they're published from App Layering and before they're deployed with Provisioning Services or Machine Creation Services. One common example is to defragment the VHD/VHDx, which is created during publish.

This feature, available in App Layering 2309, adds a new option to the image template configuration which, when enabled, automatically initiates disk defragmentation each time the template is published.

Learn more about this feature in our product documentation here:

https://docs.citrix.com/en-us/citrix-app-layering/4/publish/create-image-template#create-an-image-template-from-scratch

The Connector Appliance is currently compatible only with the commercial Citrix Cloud control plane. This implies that the benefits of AD multi-domain connectivity cannot be availed by those customers who use the Japan Citrix Cloud control plane. However, this situation is going to change when the Connector Appliance is made available for use with the Japan Citrix Cloud control plane.

This feature allows customers to set up multiple URLs for their workspace (subdomains of cloud.com), and use these URLs as policy input. StoreFront on-premises already allows an installation to utilize multiple workspace URLs to provide tailored use cases and resources to different areas of an installation. The support of Multi-Workspace URL aims to bring this capability to the Workspace platform by allowing customers to select branding, identity providers, and resources filtering based on the Workspace URL.

Push/Force iOS Update

A new radio button named "Install ASAP" will be added to the OS update options for iOS in the OS Update device policy which allows you to install the previously downloaded OS updates ASAP for iOS devices.

Citrix cloud will introduce domain name truncation, which allows unique users to be counted based on their account name alone, disregarding the domain name portion of the user name. 

For example, a user logs in under the following domain accounts:

• [email protected]
• [email protected]   
• [email protected]

When domain name truncation is disabled, Citrix cloud calculates three active users and three licenses consumed.

When enabled, Citrix cloud counts one active user and one license consumed.

Previously, Citrix Federated Authentication Service (FAS) supported MCSA and other validated identity providers. With this update, FAS officially supports Entrust Certificate Authority.
The FAS support for Entrust Certificate Authority is validated through the Citrix Ready program. The following references for official support is available in the Citrix Ready website:

• Entrust Certificate Authority
   
   

We are supporting the ability to add multiple instances of the same type of identity provider in the Identity and Access Management page. For example, an administrator can add and configure more than one Azure AD or SAML instance. This functionality is particularly helpful for companies involved in mergers and acquisitions, contracting, or working with service providers.

Once the new instance is added, given a nickname, and configured, an administrator can change the Workspace Authentication selection from one to the other. Additionally, a clone option is available for SAML identities to more easily update them.

 
Citrix is offering WiX-based installers for the infrastructure services and administration console. The new installers include the following changes:

Infrastructure services:

• .Net framework changed from .Net 4.7 to .Net 4.8
• Installation path change
• Service name and event log name change
• Parameter changes
• OS version restrictions
• SQL scripts and SQL undo scripts folders and their contents deleted
• SDK installed by default

The following table summarizes the changes:

Administration console:

• .Net framework changed from .Net 4.7 to .Net 4.8
• Installation path change
• Parameter changes

Following on from General Availability of the active directory multi-domain functionality on Connector Appliances, a set of improvements have been identified to improve the resiliency of the Connector Appliance with AD.

• Failover if unable to reach DC/GC when building LDAP connection
  • ConnApp currently finds the closest DC/GC when booting. If it is later not able to connect to this DC/GC the request currently fails. Instead it should failover to the next closest.
• Detect new domains or the recovery of domains which were unavailable when joining the forest
  • When joining a forest the ConnApp ignores all domains which are unavailable. If these domains later recover, the connector should serve for these too. Similarly if a new domain is added to the same forest it should also serve for the new one.
• Updating to latest libraries
• Other testing and bugfixes

nFactor authentication supports single sign-on feature

The nFactor for Mobile Application Management (MAM) enrollment or login now supports the single sign-on (SSO) feature for Secure Hub. This capability enables previously entered sign-in credentials to seamlessly pass through the MAM enrollment or login process. So, you don't have to enter the sign-in credentials all over again. A new client property ENABLE_MAM_NFACTOR_SSO has been added for this feature and it allows you to enable or disable the MAM nFactor SSO during the MAM enrollment or login for Secure Hub.

Learn more about about the ENABLE_MAM_NFACTOR_SSO property in our product documentation here.

Personalize Secure Hub sign-in page with hint for authentication pin

You can now personalize your Secure Hub sign-in page by adding hint for your authentication pin. This feature is optional and works for devices with two-factor authentication. The hint makes it easier to access your authentication pin.

Learn more about this feature in our product documentation here.

Faster loading for Secure Hub's App Store

The App Store in Secure Hub now loads faster than before, allowing users to access it more quickly.

Wipe your device securely, even when locked

Previously, unlocking the device was necessary to perform a full wipe upon reboot. With the current update, you can execute a full wipe command even when the device is locked in direct boot mode. This adds an extra layer of security, especially if your device falls into the wrong hands.

Learn more about the full wipe command in our product documentation here.

Using policy sets, you can group policies together based on your organizational divisions. You can then assign scopes and delivery groups to the policy sets to restrict policy management to authorized administrators.

Using Workspace and Gateway Service, this feature allows you to automatically establish a secure direct link from the client to the VDA when direct communication is available. For additional information, refer to the HDX Direct documentation.

A new congestion control algorithm has been introduced to optimize EDT, allowing the protocol to achieve higher throughput and reduce latency for an enhanced user experience. Please refer to this blog post for more details.

Audio is now supported over the EDT (Enlightened Data Transport) Lossy protocol. This feature increases the user experience for real-time streaming when users are connecting through networks with high latency and packet loss. When this feature is enabled, Adaptive Transport in Citrix Virtual Apps and Desktops use the EDT Lossy transport protocol for a better audio experience. This feature is disabled by default in 2308 and can be enabled by registry configuration. For more information, see Support for audio over EDT Lossy protocol.

Earlier Devices & Apps reports page displayed the information about all the devices and apps for all the users irrespective of their user group even if the role-based access control (RBAC) was applied.

In the upcoming release, the Devices & Apps reports page displays the devices and apps specific to the user groups defined in the To specific user groups that the RBAC role has permission to manage.

Clone a delivery group to use as the basis for a new delivery group: This feature lets you copy a complex delivery group that includes multiple policies, apps, and actions. You can then edit the copy such as adding enrollment profiles or a new set of Active Directory users

Previously, the VDA launch would fail if the FAS servers were unreachable. You can now configure StoreFront so that in this case the VDA launches and users must enter their username and password to sign in. This feature is off by default but can be enabled by admins. For more information, see FAS.

Following a major modernization of the App Layering user interface in 2022, we are continuing to make improvements and add new capabilities. In this update, we are bringing a brand-new UI experience to our Nutanix platform connector.

In addition to a new experience, we are incorporating offload compositing support for Nutanix. Offload compositing is a new layering architecture that brings modern platform capabilities, such as EFI and vTPM, as well as dramatically improved performance and job throughput when managing app layers and layered image templates.

The updated Nutanix connector is now available! Upgrade to App Layering 2312 to take advantage of this powerful new feature.

https://docs.citrix.com/en-us/citrix-app-layering/4/connect/nutanix-ahv

Some customers have requested the ability to centralize Citrix Cloud identity and access management through their identity provider of choice and, afterward, to disconnect the Citrix identity provider (CIP) from the Identity and Access Management console page.

Once a full administrator has been added to their identity provider of choice and all CIP administrators have been removed, the customer has the option to disconnect CIP.

Note: CIP acts as an emergency access (or "break glass") identity provider in the event your identity provider of choice is unavailable to authenticate Citrix Cloud administrators. Deleting CIP removes this safeguard. If you can't authenticate with your identity provider of choice, you will need to initiate an account recovery process with Citrix Support. This process could take several days.

This feature enables administrator access to the 'Full Access' role based on group membership (AAD and SAML). Any administrator belonging to this group will possess Citrix Cloud Console full administrative privileges.

The user interface of Citrix Workspace app installer is revamped to give a modern, easy outlook, and a better user experience. The new installer provides you a simple and seamless installation experience. By default, the new installer is disabled. 

Admins can now view a summary of the current configuration by clicking the View configured settings button. This feature eliminates the need to expand and review each setting separately. A consolidated list of all the configured settings allows admins to perform a comprehensive review of the current configuration and gauge the user impact. For more information, visit the Global App Configuration service documentation.

Citrix Workspace app offers Client App Management capability that makes the Citrix Workspace app a single client app required on the end point to install and manage agents such as Secure Access Agent, End Point Analysis (EPA) plug-in and 3rd party agents like Zoom and Webex.

Previously, DTLS connections between Citrix Workspace app for Linux and Virtual Delivery Agents (VDAs) were supported over the IPv4 network only. With this release, Citrix Workspace app supports DTLS connections over both IPv4 and IPv6. This feature is enabled by default.

No additional configuration is required when you use IPv6 DTLS direct connection with VDA on the Citrix Workspace app for Linux.

The desktop lock feature of Citrix Workspace app for Windows enables you to open a virtual desktop directly when a user signs into the device endpoint and they don’t get access to the local desktop. Before this enhancement, if desktop lock feature was enabled it was applicable to all non-admins signing into the device. With this feature admins can now enable desktop lock feature for a selective set of users.

Many of our customers rely on MCSIO to optimize storage performance for their non-persistent, MCS provisioned workloads. This feature, which has released and is now available, adds support for Image Portability Service to migrate and deploy images configured to use MCSIO.

We have introduced a new Citrix Performance Analytics data API interface - ODATA v4 REST API to enable export of historical and aggregated data for Citrix Performance Analytics. Customers can leverage this new API for troubleshooting and triaging real time sessions and building executive reporting dashboards using the Citrix Performance Analytics data set.

It leverages Citrix Cloud authentication and supports functions such as pagination, aggregation queries ( "select", "filter", "order", “top”, “count”) etc. Available data includes performance metrics and associated data objects such as Sessions, Machines and Users.

Enroll here to get early access of data exports via Rest API (Odata) for Citrix Performance Analytics

When persistent or assigned machines are inactive or unused or not logged into, the administrators can now define the time threshold and choose to take actions like, no action, suspend, or shutdown during peak and off-peak times. Learn more at https://docs.citrix.com/en-us/citrix-daas/manage-deployment/autoscale/schedule-based-and-load-based-settings#single-session-os-static-delivery-groups

Ease the administration of Local Host Cache by enabling administrators to use PowerShell commands to set the following options: 

• Enable/Disable Forced LHC Mode
• Set a Custom Config Sync Interval
• Enable/Disable the LHC High Availability SDK

Learn more on our Local Host Cache e-Docs.

A lot of customers with a hybrid strategy want to have their delivery groups have vertical load balancing for the public cloud workloads rather than the whole site. This would help them to better achieve cost benefits without sacrificing end user experience for on-prem resources which can have horizontal load balancing.

The goal is to give flexibility to the customers to choose horizontal vs vertical load balancing when creating a delivery group. 

Admins can now deploy a specific iOS update for the iOS-supervised devices. To deploy a specific iOS update, define the relevant OS version in the Control OS Update policy. For more information, see Control OS Updates device policy - iOS settings.

When an admin first accesses their connector appliance UI they are asked to set a password. However, once this password was set, there was previously no mechanism by which to change the password. With this enhancement, it is possible to change the password by calling an API, authenticating to it by using the old password.

A corresponding user interface flow is in development.

Azure has a secret environment where the endpoints of Azure services are a secret. To support the Azure secret region, you can now configure endpoint URLs of required services. To ensure that the target devices in the domain are trusted by the domain to which the Citrix Provisioning Server belongs, you can provide credentials for domain authentication. 

With this feature, you can now provision target devices in the domains that are not trusted by the domain to which the Citrix Provisioning Server belongs. 

To do this, use one of the following:

• Citrix Virtual Desktops Setup Wizard
• Streamed VM Setup Wizard

This feature is applicable to all supported on-premises and cloud hypervisors.

Several customers have raised concerns with consenting to the Directory.Read.All permission previously required for the Azure AD integration with Citrix Cloud. 

As of this release, this permission is no longer required and should help alleviate security concerns and remove this Azure AD adoption blocker.

Citrix Provisioning support for IPv6 based streaming gives you the flexibility to deploy Citrix Provisioning in IPV6 networking environments. This implementation helps you to meet government regulation requirements.

Launch your favorite web/SaaS apps or desktop sessions directly from home screen using the interactive widget

Extension Management with the Citrix Enterprise Browser

Enhance your browsing experience with extensions in the Citrix Enterprise Browser, giving you more capabilities on the web and boosting your productivity at work. Administrators can easily deploy these extensions securely through the Global App Configuration service.

Learn more about this feature in our product documentation here.

This feature enables VSAN 8 officially support by Citrix Provisioning.  Customer can upgrade their existing vSAN environment to vSAN 8 in Citrix Provisioning production deployment. 

Today, when admins perform a BDM update, the PVS server info will be read from the bootstrap file. This file will rely on deprecated BIOS and also have other limitations, for example it won't support DNS name of PVS servers. 

With this feature, admins can provide Citrix Provisioning Servers information when doing a BDM update. It will support inputting a DNS name of PVS server and also support up to 32 IP addresses selected. 

The deprecation of BIOS support was announced in Citrix Provisioning 2203. With this change, BIOS support will be officially removed from Citrix Provisioning. Instead, you can use the UEFI boot mode, which is the recommended solution. 

Citrix Provisioning 2311 or above will official claim support to Microsoft OLE DB Driver 19.3 or later, so that customer can upgrade to latest OLE DB Driver to latest version to meet security compliance and performance requirement. 

For LTSR 1912 CU7 , 2203 CU3 or above, customer can upgrade OLE DB driver to latest 18.X (18.6.6 or above) 

With this feature, while creating a vDisk using the Imaging Wizard, you can specify the vDisk to be Hybrid Azure AD joined in optimizer tool. Using this vDisk, target devices can be Hybrid Azure AD joined without manually doing the following:

• Run dsregcmd  or leave on the master target device so that the master target device is not Hybrid Azure AD joined.
• Add registry value AzureADJoinType [DWORD] in the master target device.

Previously, to create a Citrix Provisioning catalog, you had to use Citrix Virtual Apps and Desktops Setup Wizard. With this feature, you can now create a Citrix Provisioning catalog by using the Full Configuration user interface and PowerShell. 

This implementation provides you the following advantages:

• A single unified console to manage both MCS and Citrix Provisioning catalogs
• Opportunities to have new features for Citrix Provisioning catalogs, such as, identity management solution, on-demand provisioning and so on.

Currently, this feature is available only for Azure workloads. The preview link is https://docs.citrix.com/en-us/preview/citrix-provisioning/mcs-based-provisioning-on-azure/citrix-provisioning-catalog-in-daas.html.

Customer admins can now easily manage device compliance for Android devices enrolled in Device Owner mode. They can define custom rules to ensure compliance, including:

• Ensuring device password strength meets specified standards.
• Verifying the installation of all required apps.
• Confirming the removal of any forbidden apps.

If devices are found non-compliant, admins can prompt users to rectify the issues. Additionally, more stringent measures are available, such as freezing apps on the device to restrict user access until compliance is achieved.

Learn more about this feature in our product documentation here. 

This feature lets customers personalize their end-user facing workspace URL to their own domain, in addition to the cloud.com URL that Citrix provides. For example, if your company’s name is Acme Unlimited, you would typically access Citrix Workspace with a generic domain URL, such as https://acme.cloud.com. Now, in addition to this URL, you can personalize it even further and enable employees to access it from an existing URL you own, such as https://prod.acme.com. 

For more information, see Configure a custom domain.

When using multiple monitors, if you dock or undock your primary endpoint machine from a docking station, the session is automatically extended to the monitors with the updated layout. Also, when you start a session with multiple monitors, the session is extended to those monitors. If you add or remove monitors, the session is adapted to the newly available screens.

This feature is in technical preview from the 2309 release. For more information, see Enhancement to multiple monitors.

Eligible licenses will automatically be released without requiring any action from administrators. Automatic license release will be available for the following cloud services:

• Citrix DaaS
• Citrix Endpoint Management
• Citrix Secure Private Access

Release eligibility of assigned licenses depends on the rules of the specific service and license model. For more information, see Release assigned licenses in the Citrix Cloud documentation.

Citrix Application and Desktop Probing is the synthetic, automated testing for the launch of published applications and desktops.

As we progress in our continuous monitoring endeavour, we place particular emphasis on Citrix Probes - an existing feature enabling automated availability monitoring of published applications and published desktops, part of Citrix Monitor and Director.

This enhancement will allow customers with multi-factor authentication (MFA) in place to leverage Citrix Application and Desktop Probing in combination with StoreFront and / or Citrix Gateway.

The Citrix Workspace app for Linux supports keyboard layout synchronization for desktops such as Ubuntu 22.04, which utilizes the GNOME 42 desktop environment and later versions.

Keyboard layout synchronization allows users to switch among preferred keyboard layouts on the client device. This feature is disabled by default. Once enabled, the client keyboard layout automatically synchronizes with the virtual apps and desktops.

This feature is available in Citrix version 2304 and later. For more details, refer to the Keyboard layout synchronization section.

This feature ensures clear audio even when the network latency fluctuates.

By default, this feature is enabled. To disable this feature, navigate to the /opt/Citrix/ICAClient/config/module.ini configuration file and edit JitterBufferEnabled=FALSE.

This feature is available in Citrix version 2305 and later.

Citrix Workspace app for Linux supports background blurring for webcam redirection. To enable this feature, do the following:

1. Navigate to the ~/.ICAClient/wfclient.ini configuration file.
2. Add the following entry in the wfclient.ini file:
    
    
    {
   Unknown macro: {HDXWebCamEnableBackgndEffect=True }

   }

NOTE:

The configuration setting enables the background blurring for webcam redirection feature for UI and UI-less clients.

To disable background blurring inside the session for webcam redirection using the graphical user interface:

1. Click Preferences from the Desktop Viewer. The Citrix Workspace – Preferences dialog box appears.
2. Click the Webcam tab. The following dialog box appears.

1. Select the Disable Background Blur Effect check box to disable background blurring for webcam redirection.
2. Click OK.

This feature is available in version 2305 and later.

Citrix Workspace app for Android now supports remote configuration of your store URL using the Unified Endpoint Management solutions. As an administrator, you can manage store URLs remotely for managed Android devices using AppConfig-based key-value pairs.

For more information, see [Support for store configuration using unified endpoint management solutions](https://docs.citrix.com/en-us/citrix-workspace-app-for-android/mdm.html#support-for-store-configuration-using-unified-endpoint-management-solutions) in the Citrix Workspace app for Android documentation.

An eSIM is a digital SIM that allows you to activate a cellular plan from your device without using a physical SIM.

With the support of an eSIM, Citrix Endpoint Management allows you to retrieve the information such as phone number, IMEI, ICCID from the iOS devices and displays them on the Citrix Endpoint Management UI. For more information, see Citrix Endpoint Management 23.7.0 documentation.

With this feature, you can backup a persistent VM in GCP using snapshots. The snapshot will retain the disk and VM configuration content. You can later restore individual VMs to a previous status using a specified snapshot you choose.

Using this feature, you can now change the network setting for an existing Provisioning Scheme so that the new VMs are created on the new subnetwork. Use the parameter `-NetworkMapping` in the `Set-ProvScheme` command to change the network setting. Only the newly provisioned VMs from the scheme will have the new subnetwork settings. You must also make sure that the subnetworks are under the same hosting unit. Existing VMs in the catalog are not affected by the change. For more information, see Change the network setting for an existing provisioning scheme.

We now support the local launch of the MSIX (and/or AppAttach) package on the VDA desktop if vPrefer is configured instead of performing a second hop.

With this features, users will be able to configure Storefront settings through Global App Configuration Service Admin UI. Users will be able to add and view recently added stores and verify if a store is valid/invalid. 

With this feature, you can integrate your Workspace with third party web client or portal integrations. The feature is cost-effective as it reduces maintenance overhead and support costs. It also improves security by reducing attack surfaces.

For more information, see Unified Workspace API Preview

This enhancement adds XenServer as a supported target platform for IPS, enabling deployment of PVS or MCS master images into XenServer, from a different on-prem or cloud environment.

This feature is now available, refer to our products here for more information:

https://developer-docs.citrix.com/en-us/citrix-daas-service-apis/image-portability-service/powershell#prepare-image-on-citrix-xenserver

We bring you all your AutoConfig tool logs, command execution details, errors and fixups in a single pane of glass with the new AutoConfig tool HTML log. Users can more easily find what they are looking for and refer to important troubleshooting and information links.

Starting with the 2308 release, Citrix Workspace app for Mac can support up to 64 virtual channels in a session.

For more information, see Citrix Workspace app for Mac documentation.

Previously, you could only select 'VM' as an input for machine profile. With this feature, you can also select a launch template from the inventory list and use it as an input for machine profile to create and update a Machine Creation Services (MCS) machine catalog.

When you create a catalog to provision machines using Machine Creation Services (MCS) in AWS, you can now use MachineProfile property to capture hardware properties from a virtual machine and apply them to newly provisioned VMs in the catalog. MachineProfile property works with both Linux OS and Windows OS.

When you use MachineProfile property, the properties get captured along with IAM roles and Tags.
For example:

• EC2 type
• EBS optimized
• Elastic graphics
• ENA

Proactive service alerts in Full Configuration. A flag icon is now available in the upper-right corner of Home, and a Troubleshoot tab appears for each zone that has issues. Currently, this feature gives you proactive warnings and alerts to make sure that your Local Host Cache and zones are configured correctly so that when an outage happens Local Host Cache works and your users are not impacted. For more information, see Home page for the Full Configuration interface.

You can now create a catalog that supports AWS EC2 hibernation. The hibernation process stores the in-memory state of the instance, along with its private and elastic IP addresses, allowing it to pick up exactly where it left off.

When an instance is instructed to hibernate, it writes the in-memory state to a file in the root EBS volume, and then shuts itself down. Encrypt the root EBS volume of the instance. For information on EBS encryption, see Amazon EBS encryption. The encryption ensures proper protection for sensitive data when it is copied from memory to the EBS volume.

To create VMs that support hibernation, make sure that:

• Master image (instance you want to use as the basis for your AMI) supports hibernation.
• You enable the `AwsCaptureInstanceProperties` custom property or Machine Profile property .

Citrix VDA 2308 is now available with VDA Upgrade Service -[ CR 2308 What's new|https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/whats-new]. Please use the Upgrade Catalog option within your Catalog to update your VDA to the latest CR 2308 VDA.

This feature allows Citrix Cloud administrators to change their email address from their "My profile" page in Citrix Cloud. Previously, administrators needed to engage with Citrix Support to change their email address.

Cases where administrators might need to change their email address include a company acquisition, name change due to marriage, and so on.

Docs: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/add-admins#change-your-email-address 

In Azure environments, you can now enable customer-managed encryption-keys (CMEK) for a Citrix Provisioning catalog created by MCS. CMEK lets you manage encryption at a managed disk level and protect data on the machines in the catalog. A Disk Encryption Set (DES) represents a customer-managed key.

You can change the DES if the master image does not have DES, however, only the new VMs will have the new DES.

With this feature, Citrix Workspace app for iOS supports device posture check for operating system (OS) and app version.  This check is performed when a user attempts to sign in. If the OS and app version don't match the specified version, users are redirected to the App store for updating to the required version.  

Citrix Workspace app for iOS now supports remote configuration of your store URL using the Unified Endpoint Management solutions. As an administrator, you can manage store URLs remotely for managed iOS devices using AppConfig-based key-value pairs.
For more information, see [Configure Citrix Workspace app using Unified Endpoint Management solutions](https://docs.citrix.com/en-us/citrix-workspace-app-for-ios/configure/configure-workspace-app.html  ).

In Full Configuration, when you create a catalog, a Hybrid Azure Active Directory joined identity type, is now available in Machine Identities. With that identity type, you can use MCS to create hybrid Azure Active Directory joined machines. Those machines are owned by an organization and signed into with an Active Directory Domain Services account that belongs to that organization.

Today, connecting Citrix Cloud to Azure AD requires initiating the connection from within Citrix Cloud. This workflow is a pain point for customers and doesn't align with what customers are accustomed to when creating platform connections with Azure AD. 

Adding the Citrix Cloud Azure AD application to the Azure AD App Gallery simplifies the workflow for adding an Azure AD connection in Citrix Cloud. Administrators can:

1. Add Citrix Cloud Azure AD Application from the Azure AD App Gallery
2. Consent to the required permissions within Azure
3. Connect to the Citrix Cloud Azure AD application from the Citrix Cloud console.

With the Microsoft announcement to add Win32 apps to the Microsoft app store, the MSIX version of Citrix Workspace app is replaced with the Win32 version.  The Win32 version of the Citrix Workspace app provides greater functionalities and a streamlined experience.  Starting with Citrix Workspace app version 2305.1 for Windows, the app available in the downloads page and the app available in the Microsoft app store are the same.

For more information, see the blog.

New in App Layering 2309, it is now possible to assign apps elastically to users logging into images running a different OS from the one used to create the app layer. OS layer switching allows you even more flexibility when delivering applications to only the users or groups who require them. Learn more about this exciting new feature in our updated doc pages:

https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-layers#os-layer-switching-for-elastic-layers

Following a major modernization of the App Layering user interface in 2022, we are continuing to make improvements and add new capabilities. In this update, we are bringing a brand-new UI experience to our XenServer platform connector.

In addition to a new experience, we are incorporating offload compositing support for XenServer. Offload compositing is a new layering architecture that brings modern platform capabilities, such as EFI and vTPM, as well as dramatically improved performance and job throughput when managing app layers and layered image templates.

The updated XenServer connector is now available! Upgrade to App Layering 2309 to take advantage of this powerful new feature.

https://docs.citrix.com/en-us/citrix-app-layering/4/connect/citrix-hypervisor

Citrix Endpoint Management and Mobile Productivity Apps now support Android 14

We're excited to announce that Citrix Endpoint Management and Mobile Productivity Apps are all set to support Android 14, starting with our latest release 23.9.0. Your devices will continue to receive seamless support even after updating to Android 14. For more information about supported operating systems, see Operating system support list.

Citrix Workspace App for Mac is supported on macOS 14 Sonoma.

This feature enables PVS administrators to invoke the Image Portability Service to automate reverse-imaging a PVS vDisk to a native VMware VMDK. After updates are applied, IPS can then be invoked again to re-image the disk back to a PVS vDisk.

Initial support for this feature will be for VMware vSphere only with additional platform support to be added in the future.

This feature is now available. Refer to our doc pages below to learn more:
https://developer-docs.citrix.com/en-us/citrix-daas-service-apis/image-portability-service/pvs-automation

This feature enables admins to change disk and memory cache size to facilitate finding the most optimized cache configuration and adopt changing business needs when changing VM configurations.

FAS notification for Cloud sites

You’ll now receive FAS notifications on your Cloud sites to announce the following FAS server changes:

• RA certificate expiry
• New server version availability
• Server shut down

 For more information, see Support for Cloud notifications.

Citrix Endpoint Management and Mobile Productivity Apps now support iOS 17

We're excited to announce that Citrix Endpoint Management and Mobile Productivity Apps are all set to support iOS 17, starting with our latest release 23.9.0. Your devices will continue to receive seamless support even after updating to iOS 17.

Learn more about this feature in our product documentation here

Allow customers to integrate with other business systems and automate workflows like employee on-boarding and exit, monitor for security, etc.

Following functionality will be available via REST API:

1. Get a list of all admins along with the privileges and identity provider
2. Add/Invite an admin/group
   • Invite Citrix Identity / AzureAD user.
   • Add Google user or AzureAD/SAML/Google group.
3. Delete an admin/group
4. Manage role and permissions of existing admins

API documentation:

https://developer-docs.citrix.com/en-us/citrix-cloud/administrators

Citrix cloud will introduce domain name truncation, which allows unique users to be counted based on their account name alone, disregarding the domain name portion of the user name. 

For example, a user logs in under the following domain accounts:

• [email protected]
• [email protected]   
• [email protected]

When domain name truncation is disabled, Citrix cloud calculates three active users and three licenses consumed.

When enabled, Citrix cloud counts one active user and one license consumed.

Citrix now supports Nutanix Cloud Clusters on Azure. It is a single cluster setup and offers the same functionalities as Nutanix on-premises clusters.

Connector-Gateway PoP Latency

Connector-Gateway PoP Latency is now displayed on the Connector Statistics page. The values represent the P95 values of the synthetic latency calculated for the available Gateway PoPs in your virtual apps and desktops environment.

This information helps you choose and configure the closest Gateway PoP to achieve the optimum session experience. For more information, see Connector Statistics.

Connector-Gateway PoP Latency is also available in the Sessions self-service view as an optional column. For more information about the metrics available on the Sessions Self-service view, see the Sessions self-service article.

Previously, you only got the latest warnings and errors associated with a machine catalog. With this feature, you can now get a list of the historical warnings and errors of an MCS machine catalog. This list helps you to understand any issues with your MCS machine catalog and fix those issues. 

Using PowerShell commands, you can:

• Get a list of errors or warnings
• Change the warning state from New to Acknowledged
• Delete the errors or warnings

For more information, see Retrieve warnings and errors associated with a catalog.

For information on Citrix PowerShell SDK, see [DaaS SDK|https://developer-docs.citrix.com/projects/citrix-daas-sdk/en/latest/].

This feature enables MCS to provision VMs on vSAN 8.   Previously provisioning a VM on vSAN 8 would cause the host to become unresponsive.

Refer to KB articles for details:

https://support.citrix.com/article/CTX547459/creating-a-machine-catalogue-in-a-vsphere-8-environment-causes-host-to-become-unresponsive

https://support.citrix.com/article/CTX131239/supported-hypervisors-for-citrix-virtual-apps-and-desktops-and-provisioning-provisioning-services

The Filters page in Monitor is updated to include separate Saved and Default filters lists for better visualization and accessibility to the filters. You can select a view from among Machines, sessions, Connections, or Application Instances. Then, you can select a filter from the list of Saved filters or Default filters to view the filtered list of data. You can use the drop-down lists to refine the filter criteria or edit existing criteria. You can save your filter in the Saved Filter list. For more information, see the Filters article.

Secure Mail now supports Hybrid Modern Authentication with On-premises Exchange

Hybrid Modern Authentication (HMA) is a user identity management solution that uses a more secure way of user authentication and authorization methods. It is now available for Exchange server on-premises hybrid deployments.

HMA is an OAuth token-based authentication with username and password. It allows on-premises mailbox users to access on-premises Exchange using OAuth tokens, which are obtained from the cloud.

Learn more about this feature in our product documentation here

With this feature, MCS copies tags specified in a machine profile on all resources (including disk and NIC) of a new VM created in a machine catalog. The machine profile source can be an Azure VM or Azure template spec.

Experience Secure Mail in Dark Mode

Secure Mail now embraces dark mode on both Android and iOS for a more user-friendly experience.

Learn more about this feature in our product documentation here

You can now see GPU Utilization of AMD Radeon Instinct MI25 GPUs and AMD EPYC 7V12(Rome) CPUs on Monitor with real-time percentage utilization of the GPU, the GPU memory, and of the Encoder and the Decoder to troubleshoot GPU-related issues on multi-session and single-session OS VDAs. For more information, see GPU Utilization.

Session launch diagnostics helps IT admins understand why a session might have failed for your user by aggregating all the information you need in one place. You can also track and report each session failure independently, and we’ve compiled an exhaustive library of error codes to help you understand what went wrong and what you can do to resolve the problem.

Since launch in April 2022, we have been continually improving the feature. Adding visualization improvements and quick links for error codes from UI to make resolution easier. But there was a dependence for admins to get from end-users, the 32-bit transaction ID from error message generated by Citrix. Now DaaS Monitor has made improvements to enable admins to use of Session Launch Diagnostics when they don't have a transaction ID, by allowing admins to search for failed sessions by username. You can search for a user name, and select a session to triage from a list of failed sessions that the user attempted to launch over the last 48 hours. The Session Launch Diagnostics page shows the details of the failed session. It lists the exact component and stage where the failure occurred. For more information, see the Session Launch Diagnostics article.

The Proactive Notification and Alerting feature in Monitor is enhanced to include a new alert, Failed Machines (in %) based on the percentage of failed machines in a delivery group. The new alert condition, allows you to configure alert thresholds as a percentage of failed machines in a delivery group. For more information, see Failed Machines section in the[ Alerts article|https://docs.citrix.com/en-us/citrix-daas/monitor/site-analytics/alerts-notifications.html#failed-machines-in-].

Many administrators access the Citrix Cloud console to perform specific tasks, such as help desk tasks. Several clicks are required for them to reach their desired destination every single time they sign in. Giving administrators the ability to set or modify a custom landing page saves time and enhances the administrator experience overall. 

All administrators will be able to access their Citrix Cloud console account settings and select the page they'd like to land on after signing in. 

Sometimes, session recording servers may face issues such as upgrade failures, abnormal status etc. This feature provides you the remote troubleshooting and recovery capabilities so that you have better experience and shorter resolve lead time.

With this feature, admin can take snapshot of AWS persistent VM.  The snapshot will consist both disk content and VM configuration content, and the snapshot can be used to restore later

Improved scheduling of Application and Desktop Probes can now be done from Monitor. Using this feature, Citrix Probe Agent can be configured to run the probe tasks on specific days of the week and repeated at specified intervals during the day. This allows you to schedule a single probe task to repeat at specific times of the day and the week. You can now proactively check your site health with probes set to run regularly at suitable times. This feature simplifies probe setup and management in Monitor. For more information, see Application Probing and Desktop Probing.

This feature enables the use of Session Launch Diagnostics starting with the user name if you don’t have the transaction id. This feature is specifically useful for help desk administrators to triage a failed session if the end user hasn’t captured the transaction id. You can search for a user name, and select a session to triage from a list of failed sessions that the user attempted to launch over the last 48 hours. The Session Launch Diagnostics page shows the details of the failed session. It lists the exact component and stage where the failure occurred. For more information, see the Session Launch Diagnostics article.

The Session Details page from Citrix Analytics for Performance is now integrated in Monitor. Click View Session Timeline in the Sessions page in Monitor to view the Sessions Details page from Citrix Analytics for Performance within Monitor. This requires you to have a valid Citrix Analytics for Performance entitlement. The Session Details are available for sessions that are categorized as Excellent, Fair, or Poor in Citrix Analytics for Performance.

You can view a trend of the session experience for the session for up to the last three days along with the factors contributing to the experience. This information complements the live data available in Monitor, used by the helpdesk admin while troubleshooting issues related to session experience.

For more information, see the Site Analytics article.

With this feature, you can now change the configurations specific to an individual persistent VM such as VM size, which will overwrite catalog level configuration. The change is static and versioned, however, you can reverse the change. Some changes can only be applied when a VM is powered off while others can be applied at runtime and take effect immediately. 

Currently, if a VM loses AD domain trust, you can delete, recreate, or rejoin the VM manually. With this feature, you can repair AD domain trust through a PowerShell command. This implementation is applicable to both persistent and non-persistent machine catalogs.

With this feature, when you power off a persistent Citrix Hypervisor VM and put the VM in maintenance mode, you can request to reset the OS disk. This deletes the OS disk, and then recreates the OS disk from the current image that is prepared from the master image. To do this, you can use the PowerShell command, Reset-ProvVMDisk.

With this feature, in Google Cloud virtualization environments, you can now reset the OS disk of a persistent VM to the latest master image in an MCS created machine catalog. To do this, you need to use the PowerShell command Reset-ProvVMDisk.

Previously, customers relied on the public internet to let their Azure endpoints interact with resources in their environment. As a result, security concerns were raised because the public internet was accessed. With this feature, MCS enables network traffic to be routed through a customer's Citrix Cloud Connectors in their environment. This makes the environment safe because cloud resources can now be locked down to connector IPs, including storage.

With this feature, you can now use an instance template as machine profile input, in addition to VM and OS disk. 

Any ProvScheme or CustomProperty value in machine profile input are treated as default, unless overwritten by ProvScheme level or CustomProperty explicitly. After the creation of a machine catalog, you can use instance template as a machine profile input to overwrite the existing machine profile value and ProvScheme configuration.

Federated Authentication Service (FAS) officially supports Venafi Zero touch PKI and HID PKIaaS Certificate Authorities.

The FAS support for Venafi and HID Certificate Authorities is validated through the Citrix Ready program. The following references for official support is available in the Citrix Ready website:
 * Venafi Zero Touch PKI
 * HID PKIaaS

When you create a catalog to provision machines using Machine Creation Services (MCS) in VMware environments, you can now use a machine profile to capture properties such as tags, folder ID, and vSAN storage policy, from a virtual machine and apply them to the newly provisioned VMs in the catalog. This feature avoids the need to specify the properties individually. When the MachineProfile parameter is not used, the properties are not captured from the master image VM. You can also overwrite some of the provisioning scheme parameters such as CPU and memory configuration, folder ID, and subnet that are captured by machine profile.

The feature is only supported on VMware vSphere versions 6.7 and 7.0. 

When a new version of the connector software is released, each connector makes 5 attempts to upgrade. If the upgrade fails to install and the connector fails to verify it's healthy after 5 attempts, the connector enters the "failed" state. The connector also blocks all other connectors in the tenant from upgrading until Citrix intervenes to restart the upgrade. In some cases, the cause of the failures is only intermittent or can be resolved by the customer. However, there has been no way for the customer to restart the upgrade once the issue is resolved. This feature introduces a mechanism for customers to retry upgrades on connectors in the "failed" state without Citrix intervention.

Occasionally customers require scheduled upgrades to be postponed due to external factors such as audit events or other changes happening at the same time. This feature introduces the option to postpone a scheduled connector upgrade by an additional 2 weeks. This can only be done once.

Previously, the Connector Appliance bundled a set of trusted root certificate authorities which had been carefully selected and reviewed. These were used to validate any outgoing connections that the connector established. However, if an intercepting proxy was present which needed to 'man-in-the-middle' traffic between the Connector and its destination, the proxy would be the target of the connection. To do this, the proxy would present its own certificate which the Connector Appliance might not have recognized, resulting in the connection being terminated.

Recently, APIs were added which allowed admins to provide a custom root certificate to be added to the bundle included with the Connector Appliance, allowing connections to be intercepted by proxies. This also allows verification of connections to on-premises components, for example when using Image Portability Service. Documentation on how to configure root certificates can be found here.

This change will greatly simplify the configuration of root Connector Appliances by providing a user interface on the Connector Appliance administrator interface to manage root certificate authorities, including adding, removing, toggling their use, and evaluating expiry dates.

The new registration service for the Federated Authentication Service (FAS) removes the need to open a new browser on the server. This provides a consistent on-premises user experience with other Citrix on-premises products, improves the security posture of FAS servers, and reduces the administrator configuration on FAS servers.
 

FAS supports single sign-on to DaaS in Citrix Workspace, typically when using AAD or other 3rd-part IdP for Citrix Workspace Authentication. Until now, it has not been possible to use FAS with multi-tenant (CSP) environments. This feature adds support for FAS across multi-tenant environments, allowing the SSO functionality to be provided in these configurations.

Citrix Federated Authentication Service (FAS) provides single sign-on (SSO) to domain-joined Virtual Delivery Agents (VDAs). FAS achieves SSO by supplying the VDA with a user certificate, which the VDA uses to authenticate the user to Active Directory (AD). Once you sign on to the VDA session, you can access AD resources without reauthentication.

It’s common to implement Azure Active Directory (AAD) with synchronization between your AD and AAD, which creates hybrid identities for both users and computers. FAS can then achieve SSO to AD, however until now it has not been clear how to achieve SSO to AAD within the session. This change will explain the detail of how to configure AAD and FAS to achieve SSO to AAD.

The released article can be found here: https://docs.citrix.com/en-us/federated-authentication-service//current-release/config-manage/aad-sso.html

Previously, you could only use KMS to activate VMs. With this feature, now you can also activate persistent and non-persistent VMs provisioned through MCS using Multiple Activation Key (MAK). Each VM is activated once using MAK. 

Full access administrators can selectively assign who can access the "Support Tickets" menu options in Citrix Cloud.

All administrators (full and custom access) are retroactively assigned this permission since they all have access to the "Support Tickets" options from within the console today.

In addition to using Google Identity to authenticate Citrix Workspace users, Citrix will be supporting Google Identity for administrator authentication. When you add an administrator, you can select Custom Access to specified services or console functions.

This enhancement adds VMware as a supported target platform for IPS, enabling deployment of PVS or MCS master images into VMware, from a different on-prem or cloud environment.

See the following doc pages for example configurations to create IPS jobs targeting images to VMware vSphere.

https://developer.cloud.com/citrixworkspace/citrix-daas/image-portability-service/docs/workflow#prepare-image-on-vsphere

Citrix Secure Access client now supports single sign-on for the Workspace URL when already logged in via Citrix Workspace app. This SSO functionality enhances the user experience by avoiding multiple authentications.

For more details, see Single sign-on to the Citrix Secure Access client via Citrix Workspace app. 

App Layering is a powerful tool for simplifying and consolidating app and image management in your Citrix environment. With the rich set of features comes a need to control what capabilities your Helpdesk engineers can access. This feature introduces role-based access controls to permit granular assignment of roles for various functions within App Layering.

Role-based access is now available in App Layering 2306:

https://docs.citrix.com/en-us/citrix-app-layering/4/whats-new.html#app-layering-2306-this-release 

Events for adding, modifying, and deleting network locations are now generated in System Log. Additionally, the time, name of the network location impacted (target ID), and the actor are recorded.

For more information, see System Log events for the Citrix Cloud platform in the Citrix Cloud documentation.

We have introduced a new version of oData API (via API gateway) that provides better resiliency and governance and has more computing resources to function efficiently. Customers can leverage this new Citrix Monitor Service data API for troubleshooting and triaging real time sessions and build dashboards using this data set.

This new API supports pagination, aggregation queries on the Citrix Monitor Service data. This feature is not available in OData Version 3 or earlier. Read more

Important Note: In line with previous announcement, and as a final update, the existing endpoint of the following format will be retired by June 30th 2023.
https://[customer_id].xendesktop.net/citrix/monitor/odata/v4/data

To avoid scripting errors/ business interuptions, please switch to the new version of oData APIs hosted on the following endpoint
 https://api-us.cloud.com/monitorodata.
 
For transition planning and more information read this KB article

Citrix Analytics Add-On for Splunk Now Available on Splunk Cloud Platform

Splunk Integration for Citrix Analytics utilizes Citrix Analytics Add-On for Splunk to connect to the analytics environment and bring in business critical data into your Splunk Environment.

With the latest Add-on version 2.1.2, customers have the flexibility to choose between Splunk Enterprise or Splunk Cloud while considering the deployment of our add-on to facilitate Splunk integration.

For more information, see Splunk Integration.

Support for policy global action - Notify End User 

The Policies & Actions feature in Citrix Analytics now supports the Notify End User Global Action which can be paired with built-in or custom risk indicator trigger(s).

This action can be utilized for a variety of compliance use cases such as notifying the users for unsanctioned application usage, or alerting for suspicious behavior on their Citrix accounts without taking any disruptive actions. 

Administrators can create policies with the Notify End User action that generates email notifications for end users only. Administrators can also customize the email message body and subject line depending upon the specific scenario.

For more information, see Notify End User.

In Azure environments, you can now use private endpoints to restrict access to disk contents. This implementation helps you to securely access data over a private link. 

However, if you configure Azure policy to create Disk Accesses automatically for each new disk to use private endpoints, you cannot upload or download more than five disks or snapshots at the same time with the same disk access object as enforced by Azure. This limit is for each catalog if you configure Azure policy at resource group level, and for all catalogs if you configure Azure policy at subscription level.

For more information on using private endpoints to restrict the export and import of managed disks, see Restrict import/export access for managed disks using Azure Private Link.

Leverage single sign-on (SSO) with virtual desktops that are either Azure AD (AAD) or hybrid AAD joined, when using Azure AD as your Identity Provider (IdP).

Citrix Device Posture Client will now be built into Citrix Workspace Application (CWA).

A built-in Device Posture Client will:

• Enhance the end user experience with a unified application
• Ease of Deployment for administrators
• Improve performance by reducing the time to complete scans on an end device

Previously, you could schedule image updates by waiting for the MCS machine's next reboot, or by triggering an immediate reboot to all the VMs in the catalog. With this feature, you can now create a reboot schedule for a desired catalog or VM(s) to occur once on a desired date and time in an effort to facilitate scheduled MCS image updates. This feature affects both on-premises Citrix Virtual Apps and Desktops and Citrix DaaS cloud environments. This can be used with either single-session or multi-session delivery groups.

You can create a one-time reboot schedule for:

• A single VM
• Multiple VMs in same catalog
• Entire catalog

You can also change an existing time schedule or delete an existing time schedule. For more information, see https://docs.citrix.com/en-us/citrix-daas/install-configure/machine-catalogs-manage.html#change-the-master-image.

Information on the PowerShell SDK command will be included in https://developer-docs.citrix.com/projects/citrix-daas-sdk/en/latest/Broker/New-BrokerCatalogRebootSchedule/.

Citrix Secure Access client now supports single sign-on for the Workspace URL when already logged in via Citrix Workspace app. This SSO functionality enhances the user experience by avoiding multiple authentications.

For more details, see Single sign-on to the Citrix Secure Access client via Citrix Workspace app. 

Previously, to create an Azure Active Directory (AAD) joined machine catalog, master image could not be AAD joined. With this feature, master image can be either AAD joined or not AAD joined for creating AAD joined machine catalog.  

Citrix now supports Azure AD dynamic security group for a machine catalog. Dynamic membership rules, which are based on the naming scheme of a catalog, assign a dynamic security group to the VMs in the catalog. Dynamic security groups are useful when you want to manage the VMs by Azure Active Directory (Azure AD). They are also useful when you want to apply Conditional Access policies or distribute apps from InTune by filtering the VMs with Azure AD dynamic security groups.

Previously, when creating an Azure Active Directory (AAD) joined machine catalog, you could not use a Microsoft Intune enrolled master image. Now, with this feature, you can use a Microsoft Intune enrolled master image. This functionality requires VDA version 2212 or later.

Previously, MCS only offered locally-redundant storage (LRS). With this feature, you now also have Zone-redundant storage (ZRS) option for storage in Azure. This feature provides you the option to select a storage type depending on the type of redundancy storage that you want to use. ZRS replicates your Azure managed disk across multiple availability zones, which allows you to recover from a failure in one zone by utilizing the redundancy in others.

Current limitations:

• Only supported for managed disks
• Only supported with premium and standard solid-state drives (SSD).
• Only available in certain regions.

For more information, see Redundancy options for managed disks.

Previously, Citrix Machine Creation Services (MCS) created virtual machines without changing synchronization method in the master image.  This feature enables NT5DS as default time synchronization method for Active Directory and Hybrid Azure Active Directory joined virtual machines that MCS creates.

With this feature, you can create a machine catalog of Azure VM with double encryption. Double encryption is essentially platform-side encryption (default) + customer managed encryption (CMEK). If you are a high-security customer who is concerned about the risk associated with any particular encryption algorithm, implementation, or key being compromised, you can now opt for an additional layer of encryption. This new layer can be applied to persistent OS and data disks, snapshots, and images.

With this feature, in Azure environments, you can change a legacy machine catalog to a machine profile based machine catalog. This will enable you to acquire many new features from the machine profile, such as tags, accelerated networking, and so on, without recreating the machine catalog. You can have a VM or template spec as an input for the machine profile. The change can also be applied to the existing VMs. However, an existing machine profile based MCS machine catalog cannot be changed to non-machine profile based MCS machine catalog.

We've introduced a new setting in Full Configuration to simplify the cleanup of stale Azure AD joined devices in Citrix DaaS. Previously, you had to run a custom PowerShell script to perform the task. With the new setting, you can now assign host connections permission to automatically clean stale Azure AD joined devices.

With this feature, when you power off a persistent Azure VM and put the VM in maintenance mode, you can request to reset the OS disk. This deletes the OS disk, and then recreates the OS disk from the current image that is prepared from the master image. To do this, you can use the PowerShell command, Reset-ProvVMDisk.

You can now redirect the front camera of your device into the session. Both 32-bit and 64-bit applications are supported. By default, the auto-redirection of the webcam is enabled.

Citrix Provisioning on Azure is supporting customer-managed encryption keys to encrypt all managed disks, which are BDM Boot disk and WBC disk, associated with each target device. With this support, you can manage your organizational and compliance requirements by encrypting the managed disks of your machine catalog using your own encryption key. You can assign a Disk Encryption Set (DES) ID to the boot disk of the template VM. This DES is applied to all disks created when targets are provisioned using Citrix Virtual Apps and Desktops Setup Wizard. For more information, see Citrix Provisioning on Microsoft Azure.

Citrix Provisioning on Azure is supporting the ability to create provisioning targets in specific availability zones. To deploy the target devices, you can run the Citrix Virtual Apps and Desktops Setup Wizard and select a template VM that specifies the availability zone in which it must be created. For more information, see Citrix Provisioning on Microsoft Azure. 

With this enhancement, you can export XenServer images using the Image Portability Service to upload and prepare them for a different target platform (such as Azure).

https://developer.cloud.com/citrixworkspace/citrix-daas/image-portability-service/docs/workflow#export

Following a major modernization of the App Layering user interface in 2022, we are continuing to make improvements and add new capabilities. In this update, we will be bringing a brand-new UI experience to our vSphere platform connector.

This feature is now available in App Layering 2304:
https://docs.citrix.com/en-us/citrix-app-layering/4/whats-new.html#app-layering-2304-this-release

Following the popular release of the Azure Deployments connector in App Layering 2211, we are releasing a highly demanded enhancement to the feature.

Normally, to configure and use the latest Azure features with App Layering, you must deploy an App Layering appliance natively within Azure. Many customers prefer to manage App Layering outside of Azure, and use the Azure Deployments connector to create layered images inside of Azure remotely.

We are adding support for this by including an app registration credential in the Azure Deployments connector configuration.

This is feature is now available in App Layering 2304:
https://docs.citrix.com/en-us/citrix-app-layering/4/connect/azure-deployments.html#app-layering-appliance-machine-identity

This enhancement enables admins to incorporate Active Directory attribute variables in the policy which defines the network path to where the user layers are located.

Enabling the use of AD attributes (along with environment variables which are already supported), admins can dynamically attach a user layer to a machine based on properties, such as the AD user login, or other AD properties of the user.

This feature is now available in App Layering 2304:
https://docs.citrix.com/en-us/citrix-app-layering/4/whats-new.html#app-layering-2304-this-release

Today, service continuity connection leases are removed from devices if an end user explicitly logs off of the Workspace app. Without these connection leases, end users can't launch apps and desktops during outage scenarios. 

Currently, administrators can use PowerShell to configure lease files so they remain with the end user during outages. A new setting will be added to Workspace Configuration that administrators can configure to preserve connection leases on logoff.

With this feature, you can use MCS to provision a catalog with Azure confidential VMs. You can use a machine profile workflow to create a catalog. MCS can capture confidential VM properties from both VM based and ARM template based machine profile inputs.

Title: Data export of performance metrics and integration with the Splunk Observability (Preview) 

Citrix Analytics for Performance is now integrated with the Splunk Observability platform. You can use the Data Export feature to export performance data and events from Citrix Analytics for Performance to Splunk.

You can get a holistic view of the performance metrics of all on-premises Citrix Virtual Apps and Desktops sites and DaaS cloud services that have been onboarded to your Citrix Analytics for Performance service on the Observability platform. Further, you can combine and correlate performance metrics from Citrix Analytics for Performance data with the external data sources connected within your Splunk instance.

You can create dashboards and reports in a regular cadence and derive actionable business insights into the performance of your virtual apps and desktop sites.

For more information, see the Data Export article.

To leverage this functionality, please sign up and enroll to the Tech Preview. 

You can now assign custom Citrix Cloud administrator permissions to users and groups of your Azure Active Directory, to access Citrix Analytics for Performance.
The administrative permission must be configured on Citrix Cloud using Identity and Access Management > Administrators.
For more information, see Identity and access management.

This integration enables a streamlined approach to manage service access permissions for administrator users and groups.

For more information on managing roles, see Manage Administrator Roles for Performance Analytics.

Starting with the 2305 release, webcam redirection is supported for 64-bit applications.

System requirements

• GStreamer framework version 0.1.x or 1.x depending on the current version installed in the system.
• ICAClient version greater than 2106 in case it is using GStreamer 1.x
• Gstreamer version and plug-ins:
  • gstreamer1.0-plugins-base
  • gstreamer1.0-plugins-bad
  • gstreamer1.0-plugins-good
  • gstreamer1.0-plugins-ugly
  • gstreamer1.0-vaapi plugin and libva library
  • x264 library

NOTE:

The version of the GStreamer plug-in must be consistent with the version of the GStreamer framework. For example, if you install the Gstreamer1.2.4, the version of all Gstreamer1.x plug-ins must be 1.2.4.

Webcam redirection configuration

Do the following steps to activate and configure the webcam redirection feature for 64-bit apps on Citrix Workspace app for Linux.

Step 1: Verify the ICAClient configuration

Set the AllowAudioInput value to True to enable the webcam redirection feature. By default, this value is set to True during the installation of ICAClient.

If the AllowAudioInput value is set to False, do the following to enable the webcam redirection feature:

1. Navigate to the ~/.ICAClient/wfclient.ini configuration file and edit it.
2. Set the AllowAudioInput value to True.

AllowAudioInput=True

Step 2: Verify the Theora encoder configuration

After you have successfully installed the ICAClient and the AllowAudioInput value is set to True, by default the Theora encoder is configured. This encoder is a software-based encoder with acceptable performance. However, this encoder supports only 32-bit apps on a VDA.

Do the following to verify that the Theora encoder supports 32-bit apps:

1. Install Firefox 32-bit on a VDA.
2. Access the webcam test site at https://webcamtests.com/

The Theora encoder does not support the webcam redirection feature for 64-bit apps on a VDA. Configure the H264 encoder option to support the webcam redirection feature for 64-bit apps on VDA.

Step 3: Configure H264 encoder

H264 encoder supports the webcam redirection feature for 64-bit apps on the VDA. To enable the H264 encoder, you must do the following:

1. Navigate to the ~/.ICAClient/wfclient.ini configuration file and edit it.
2. Set the HDXH264InputEnabled value to True.

HDXH264InputEnabled=True

Do the following to verify that the H264 encoder supports 64-bit apps:

1. Install Firefox 64-bit on a VDA.
2. Access the webcam test site at https://webcamtests.com/.

Step 4: Verify system dependencies

After configuring the H264 encoder, if the webcam redirection feature does not support 64-bit apps on the VDA verify the system dependencies.

The webcam redirection feature for the 64-bit app is based on the GStreamer framework. The ICAClient uses GStreamer framework version 0.1.x or 1.x depending on the current version installed in your system.

Step 4.1: Verify ICAClient version

Verify whether the ICAClient version is greater than 2106 in case it is using GStreamer 1.x. Previous versions of ICAClient might fail.

Do the following steps to verify the ICAClient version is based on the GStreamer framework installed in your system:

1. Enter the following commands in a command-line:
    
    
    {{cd /opt/Citrix/ICAClient/util }}
    
    
    {{ls -alh }}
2. Verify whether the gst_read symlink is linked to gst_read1.0 or gst_read0.1. as shown in the following image:

You can also run the workspaceappcheck.sh script in the util directory and verify the output of the section referring to GStreamer dependencies.

Citrix recommends using the ICAClient version greater than or equal to 2106 and GStreamer 1.x.

Step 4.2: Verify Gstreamer version and plug-ins

Apart from the GStreamer 1.x framework, you must install the following required plug-ins:

• Gstreamer1.0-plugins-base
• Gstreamer1.0-plugins-bad
• Gstreamer1.0-plugins-good
• Gstreamer1.0-plugins-ugly
• Gstreamer1.0-vaapi plugin
• ibva library
• x264 library

For more information to install the preceding plugins, see the GStreamer installation guide.

NOTE:

The version of the GStreamer plug-in must be consistent with the version of the GStreamer framework. For example, if you install Gstreamer1.2.4, the version of all Gstreamer1.x plug-ins must be 1.2.4.

Run the following command to check the current version of the GStreamer framework:
 
 
 {{gst-inspect-1.0 --gst-version }}
For information about troubleshooting, see Webcam in the troubleshooting section.

You can create multiple access rules and configure different access conditions for different users or user groups within a single policy. These rules can be applied separately for both HTTP/HTTPS and TCP/UDP applications, all within a single policy. For details, see Configure an access policy with multiple rules.

In order to take advantage of the latest features and functionality, administrators must upgrade VDAs regularly, which can often be a manual or time-consuming process. With VDA upgrade service, available with Citrix DaaS entitlements, admins can now quickly push VDA upgrades to individual persistent machines, remote PC access, entire machine catalogs in minutes via Web Studio or PowerShell. This time-saving feature supports any cloud or hypervisor, as well as non-domain joined machines, AAD joined on top of AD-joined machines, and Citrix HDX Plus for Windows 365 VDAs, as long as the catalog is persistent.

 
For more information, see Upgrade VDAs using the Full Configuration interface in the product documentation and the announcement blog.

Multitasking split view for Secure Mail on iPad devices

Secure Mail enhances your productivity to the next level by supporting multitasking on iPad devices. You can now multitask effortlessly with the choice of Split View or Slide Over options.

Learn more about this feature in our product documentation here.

This change makes available public APIs which can be used to create, delete and set update schedules on resource locations programmatically.

API documentation:

https://developer.cloud.com/citrix-cloud/citrix-cloud---resource-locations/docs/overview

https://developer.cloud.com/citrix-cloud/citrix-cloud---maintenance-schedules/docs/overview

Federated Authentication Service (FAS) officially supports Sectigo and Keyfactor Certificate Authorities. It's no longer required to use Microsoft Certificate Authority while using FAS.

The FAS support for Sectigo and KeyFactor Certificate Authorities is validated through the Citrix Ready program. The following references for official support is available in the Citrix Ready website:

• Sectigo Certificate Manager
• Keyfactor Command

Events for adding, modifying, and deleting resource locations are now generated in System Log. Additionally, the time, name of the resource location impacted (target ID), and the actor are recorded.

For more information, see System Log events for the Citrix Cloud platform in the Citrix Cloud documentation.

Previously, the Connector Appliance bundled a set of trusted root certificate authorities which had been carefully selected and reviewed. These were used to validate any outgoing connections that the connector established. However, if an intercepting proxy was present which needed to 'man-in-the-middle' traffic between the Connector and its destination, the proxy would be the target of the connection. To do this, the proxy would present its own certificate which the Connector Appliance might not have recognised, resulting in the connection being terminated.

With this change, admins are able to provide a custom root certificate to be added to the bundle included with the Connector Appliance, allowing connections to be intercepted by proxies. This also allows verification of connections to on-premise components, for example when using Image Portability Service.

Documentation on how to configure root certificates can be found here.

When an administrator first accesses the Connector Appliance management console, they are asked to set a password. However, after setting the password, there was previously no mechanism by which to change it. Today, administrators can change the password with an API call. With this enhancement, administrators will be able to change the password through the Connector Appliance administrator interface.

The user menu at the top-right of the console will include both account-level and personal settings in one easy-to-use interface.

The information currently displayed in "My Profile" sections will be consolidated into one "My Settings" page. The "Company Settings" will reflect account-specific configurations based on the administrators role.

As a supplement to the Session Recording management dashboard, the Session Recording service introduces an activity feed to improve data visibility and data visualization.. The activity feed gives you information about the events and tasks that happened in the past.

Citrix support for Google Cloud Identity authentication enables Citrix Workspace authentication using both native Google Identity accounts and Active Directory backed accounts. It also enables non-domain joined Citrix DaaS workloads with Workspace authentication configured to Google Cloud Identity. Organizations who have invested in Google Workspace and Cloud identity enjoy simplified deployments and reduced costs as the need for Active Directory and Cloud Connectors is eliminated.

For documentation, see Connect Google Cloud Identity as an identity provider with Citrix Cloud.

Excited to announce the general availability of two new iOS MAM SDK frameworks: Xamarin and Cordova.

With this announcement we’re expanding the supported list of MAM SDK frameworks to deliver our customers’ developer community more choices to complete the migration from legacy MDX technology to Citrix Endpoint Management MAM SDK technology.

More information can be found in this blog. 

Released in Q4 2022, Image Portability Service now supports preparing on-premises Machine Creation Services and Provisioning Services images to run in AWS. This adds AWS to the list of supported public clouds, which also includes Azure and Google Cloud.

As of version 2206, the App Layering management console has been redesigned and modernized:

• No longer requires Silverlight or Internet Explorer
• Improved performance and easier navigation
• Streamlined workflows with an updated look and feel
• Supports modern browsers and plugins
• Provides a new framework for future features and workflows

Support for using ARM template specs as machine profiles. Previously, you could use only VMs as machine profiles. You can now use ARM template specs as machine profiles as well when creating Azure machine catalogs. This feature lets you take advantage of Azure ARM template features such as versioning. To ensure that the selected spec is configured correctly and contains required configurations, we perform validation on it. If the validation fails, you are prompted to select a different machine profile.

Global App Configuration Service will allow administrators to test the settings before rolling it out to all users. This feature allows to resolve any issues before applying the Global App configurations to the entire user base.

Now, admins can directly make API calls or use CSV file import/export functionality to edit and configure multiple applications at once. This will help the admins in multiple scenarios such as:

1. Configuring multiple applications
2. Editing multiple applications
3. Transitioning from Staging to the Production environment

For more details, see Getting started with the Secure Private Access API. 

The App-V node is renamed to App Packages and redesigned to accommodate more types of Microsoft packaged apps. Previously, you had to use the discovery module to add App-V packaged apps to your environment for delivery. You can now add and deliver the apps in one place by using the App Packages node.

Machine Load metrics based on the Load Indicator are added in the Machines Self-Service View. These metrics help quickly check the load on machines without having to drill down to multiple machine parameters like the CPU usage, memory utilization, and the number of sessions on the machine.

1. The Machines self-service view now shows machine categorization based on the Load Indicator of the machines. Load Indicator for a machine is calculated based on the resource utilization, the overall user experience on the machine and the number of sessions hosted in the case of multi-session OS machines. The value is aggregated over the selected time period. In the Machines self-service view, select Load in the Machine categorization dropdown. The machines are categorized as follows:
   • High (red) - Machines with Load Indicator in the range 71-100
   • Medium (green) – Machines with Load Indicator in the range 41-70
   • Low (amber) – Machines with Load Indicator in the range 1-40.
   • Not Categorized - The machines might be not categorized if they are in shutdown, unregistered, or failed state or if the resource data is not available for the machine.
2. The Load facet with High, Medium, Low, and Not Categorized options helps filter the machines to help further analysis.
3. Machines self-service view has a Load Indicator column that shows the load score of the machine. The machine performance parameters available upon expansion of the machine row now show the number of High, Medium and Low Load Instances for the selected period. This helps quantify and evaluate the load on the specific machine.

This feature helps identify machines that are underutilized or overloaded. This further enables proactive action to ensure optimal usage of the the infrastructure and improve the overall machine performance. For more information, see the Self-service article.

The Session Recording service lets you subscribe to email notifications to notify specific recipients about resource usage alerts, server status changes, and the results of automated tasks for archiving and deleting recordings. You can configure the topics you are interested in such as CPU usage, storage status, and network performance etc. You can also configure default recipients as well as particular recipients for certain topics.

This feature grants the ability to check end user's device posture using Endpoint Protection via CrowdStrike. This information can be used to provide Contextual access into Citrix Workspace. 

Until now, administrators were able to configure Citrix policies using PowerShell or Studio only. With this new feature, administrators can configure Citrix policies using REST APIs.

Application discovery feature helps an admin get visibility into the internal private applications such as web apps and client server apps (TCP and UDP based apps) in their organization and the users accessing those applications. Admins can discover the apps by specifying the scope of the domains (wildcard domains) or IP subnets. For details, see Application discovery.

The integration of the Always on ZTNA before Windows Logon feature for Secure Private Access service establishes pre-logon connectivity for the Secure Private Access users before they log on to the machine.

Always on ZTNA before Windows Logon capabilities: 

• An administrator can provide a one-time password to first time users working remotely using which users can connect to the domain controller to change their password.
• An administrator can remotely manage/enforce AD policies to the device even before the user logs in.
• Multiple users can use the same machine. Access to the resources is provided based on the user profile. For example, multiple users can use a machine in a kiosk without hassle.
• Users working remotely can connect to the domain controller to change their password.
• Windows machine can verify the user’s login credentials using the corporate active directory (AD) and Windows credentials on the machine are not cached. Also, new corporate AD users are enabled to seamlessly log on to the machine.
• ZTNA for a Windows machine remains connected even when different users log in or log out to the machine.

Currently, role/scope pairs in Identity and Access Management (IAM) are presented as a single list. While this list may be effective for out-of-the-box pairs, it is not suitable for customers with a large number of custom roles and scopes. For example, a customer with 15 scopes and 10 roles will see a list of 15x10 rows to choose from when assigning administrator permissions.

This list will be redesigned so that roles and scopes can be selected as primary and secondary options. This model will present a clearer format for assigning administrator permissions, improve load performance, and reduce the number of clicks needed when assigning permissions. For more information, see the Configure custom access for an administrator article. 

Distributors will be able to access license usage data for all their partners using the Citrix Cloud API. Distributors will be granted administrator access to their partner accounts using the "Secure Clients" permission and a new License Usage Insights permission specifically for distributors. With these permissions, distributors can use the Citrix Cloud API clients that partners create and share with them to gather partner license usage data.

Citrix Gateway service now supports Loss tolerant mode (preview), which uses EDT Lossy transport protocol to enhance the end-user audio experience for users connecting through networks with high latency and packet loss.

EDT Lossy is a loss-tolerant transport protocol that allows packet loss in transmission without resending multimedia content, resulting in a more real-time experience for users. It is also the preferred mode for audio, ensuring superior audio quality compared to EDT during lossy network conditions

You can now create configuration partitions within a single Citrix DaaS instance. You achieve that by creating tenant scopes in Administrators > Scopes and associating related configuration objects, such as machine catalogs and delivery groups, with those tenants. As a result, administrators with access to a tenant can manage only objects that are associated with the tenant. This feature is useful, for example, if your organization:

• Has different business silos (independent divisions or separate IT management teams) or
• Has multiple on-premises sites and wants to maintain the same setup in a single Citrix DaaS instance.

Also, the Full Configuration interface lets you filter tenant customers by name. By default, the interface displays information about all tenants.

The feature is available for both Citrix Service Providers (CSPs) and non-CSPs. The interface in a CSP environment is essentially the same as that in a non-CSP environment except for the method used to create tenants.

• CSPs onboard tenant customers to Citrix DaaS and then configure administrator access to Citrix DaaS. For more information, see Citrix DaaS for Citrix Service Providers.
• Non-CSPs create tenant customers by first creating scopes and then configuring custom access for respective administrators. For more information, see Create and manage scopes.

With this feature, MCS provides new PoSH commands to list leaked resources that are created by MCS, but are no longer used by MCS on Azure. This helps you to avoid extra costs. For more information, see Retrieve a list of orphaned resources.

The Full Configuration Management console supports simulation (modeling) of policy application to VDAs. The result of a run of such simulation is also known as Resultant Set of Policies (RSoP). The list of accepted and denied set of Citrix policies and settings with appropriate reasons are displayed in the result. With this feature, administrators can see how policies and settings are applied to a VDA machine and to an end user to assist in testing and troubleshooting.

With this features, users will be able to configure Storefront settings through Global App Configuration Service Admin UI. Users will be able to add and view recently added stores and verify if a store is valid/invalid. 

Microsoft Endpoint Manager (MEM) classifies a user’s device as compliant or registered based on its policy configuration. During user login into Citrix Workspace, device posture can check with MEM about the user’s device status and use this information to classify the devices within Citrix Cloud as compliant, non-compliant (partial access), or even deny access to the user login page. 

Services like Citrix DaaS and Citrix Secure Private Access in turn use device posture’s classification of devices to provide contextual access (Smart Access) to virtual apps and desktops, and SaaS and Web apps respectively.

For more details, see Microsoft Endpoint Manager integration with Device Posture - Preview. 

The DNS suffix feature of the Citrix Secure Private Access service can be used for the following use cases:

• Enable the Citrix Secure Access client to resolve a non-fully qualified domain name (host name) to a fully qualified domain name (FQDN) by adding the DNS suffix domain for the back-end servers.
• Enable admins to configure applications using IP addresses (IP CIDR/IP range), so that the end users can access the applications using the corresponding FQDN under the DNS suffix domain.

For details, see DNS suffixes to resolve FQDNs to IP addresses.

Cloud licensing for the Citrix Gateway service now includes an improved user experience to make it easier to stay abreast of your usage under multiple entitlements and keep track of any overage.  The licensing summary page has been revamped so you can see overviews for all  your entitlements and overage at a glance.  A new tabbed interface allows you to see usage details of your monthly, annual, and termed entitlements with a minimum of clicks.  Finally, calculating bandwidth is based on the allocation of the entitlements you've purchased, instead of on the fixed bandwidth model that was previously used. 

For more information, see Monitor bandwidth usage for Gateway service in the Citrix product documentation.

This feature will enable users to access virtual and local drives on a local machine from virtual desktop. Users will need to select the level of access they need (i.e. read access, read/write access, or no access) and be able to either read or edit files. 

With this feature, any user will be able to add/remove background blurring effect on MS Teams optimization during or outside of a audio/video/screen share session.

Previously, only a single audio playback and recording device was supported and displayed as Citrix HDX Audio irrespective of the real device name.

Starting with the 2301 version, we support multiple audio devices and redirect them to VDA. Now, when you redirect USB audio devices, you can view the real name of the audio device under the Sound settings > Playback and Sound settings > Recording on the VDA. The list of devices on the VDA is dynamically updated whenever an audio device is plugged in or removed.

Known Limitations

• On the VDA, the name of the built-in audio device is in English only. The issue occurs when you use ChromeOS-based devices.

Renamed some actions to better align with their actual meanings. We've renamed the following actions in Full Configuration > Machine Catalogs and Full Configuration > Delivery Groups. The workflows for performing those actions remain unchanged.

• Update Machines renamed to Change Master Image
• Rollback Machine Update renamed to Roll Back Master Image
• Upgrade Catalog renamed to Change Functional Level
• Upgrade Delivery Group renamed to Change Functional Level
• Undo Upgrade Catalog renamed to Undo Functional Level Change
• Undo Upgrade Delivery Group renamed to Undo Functional Level Change

This feature will grant administrators the ability to check a device's posture by checking if there is valid certificate installed.

Based on this:

• Users may be allowed/denied login access
• Contextual access will be based on type of device

Track the progress of catalog creation and updates. Full Configuration now lets you stay up to date on catalog creation and updates. You can gain an overview of the creation and update process, view the history of steps performed, and monitor the progress and running time of the current step. For more information, see Start creating the catalog.

Citrix Workspace app for iOS now allows you to switch the camera position from front to rear and conversely, within the HDX session.

A floating button appears when you invoke the camera. Single tap on the floating button to switch between the front and rear camera positions.

You can also move the floating button freely around the screen and place it anywhere.

Starting with version 2302, you can save the selection for multi-monitor screen layout in custom web stores.

As a prerequisite, you must enable this feature in the AuthManConfig.xml file. Navigate to $ICAROOT/config/AuthManConfig.xml and add the following entries:

<key>ScreenPinEnabled</key>
<value> true </value>

Only after adding the preceding key, you can see the Screen Layout option in the Citrix Workspace app menu.

For more information see, Screen pinning in custom web stores [Technical Preview] section.

You can provide feedback for this technical preview by using the Podio form.

Administrators with the "Notifications" role now see a new "Dismiss All" button on the Notifications page. This button allows administrators to dismiss all their notifications in one operation. Administrators can still dismiss individual notifications by selecting each one.

Dismissing notifications only affects the signed-in administrator. Other administrators on the Citrix Cloud account can still see and dismiss their own notifications. For more information, see Dismiss Notifications in the Citrix Cloud documentation.

This feature ensures that links that were configured for end-user to be opened via Citrix Workspace Browser are opened through this designated browser despite the point of origination (i.e. native app link). It helps provide the end-user with a VPN-less access to internal web apps, and for the administrators, it helps ensure that security policies are applied correctly.

This feature will help offer our users more control over the browsing solution through a a Citrix solution - Global App Configuration Service.

This feature grants the ability to categorize user traffic as internal or external. These location tags will grant contextual access for DaaS and SPA.

Users will have the ability to have an easier login experience to the Workspace app and virtual sessions via biometrics, mobile devices and/or FIDO security keys.

Device Posture Service can now verify the version of CWA (Citrix Workspace App) on iOS platform.

Based on this:

• User can be allowed/denied login
• Contextual access will be based on type of iOS device 

Android Workspace app users will be supported for a multi-window approach where sessions will have the ability to open as a separate window. Users will also have the ability to extend sessions on displays and switch between sessions.

The DPI matching feature ensures that the DPI scaling setting present in a remote desktop matches your device’s DPI setting. In general, the display clarity depends not only on resolution but also on the density of the pixels (DPI).

Previously, the sessions were rendered by resolution settings and those sessions weren’t clear even on high-DPI mobile phones or tablets.

Starting with the 2212 release, a new UI is introduced to achieve DPI matching. On your device, go to Citrix Workspace app for Android Settings > General > Display > Session Resolution > and select the *Match client DP*I option.

You can now connect an Android phone, or an Android tablet to an external monitor, or a TV and the session display scales according to the optimal DPI settings. You can use the Samsung DeX mode too. In other words, the Citrix Workspace app attempts to match the display resolution and DPI scale settings of the Android device to the Citrix session automatically.

This feature enhances the user experience by rendering the sessions according to the DPI of the phone or tablet. The session icons, text, and image clarity are now sharper and more comfortable to read. By default, the DPI matching feature is disabled.

App Protection will be made available for the Workspace Android app. App Protection helps admins ensure security of their users by preventing screenshot captures within the app and sessions and prevents key strokes from getting captured via key logging tools.

Insider threat and Data exfiltration monitoring with VDI insession clipboard events

Citrix Analytics for Security now allows aggregation and export of VDA.Clipboard events.
These events are triggered by VDI session clipboard place (movement of clipboard data from Session to endpoints) in Citrix Apps and Desktops. Clipboard logs provide vital information from proprietary Citrix protocols (HDX) such as the VDA name, clipboard size, clipboard format type, client IP, clipboard operation, clipboard operation direction, and whether the clipboard operation was permitted. This provides admins visibility into any Data exfiltration risks across VDI environments. The VDA Clipboard events are available for search, reporting and correlation across various Citrix Analytics for Security features as listed below.

• Self-service search: You can review the VDA.Clipboard results along with all its attribute details and save reporting queries for compliance
• Custom Risk Indicators:  Clipboard events and metadata attribtes are available within Custom Indicators framework. You can use these event key/value pairs to configure custom indicator triggers and create action policies with it.
• SIEM Data export: Clipboard events and metadata is also made available for SIEM event export with Splunk, Sentinel, Elastic and via our generic Kafka export mechanism. This will enable SOC threat hunting to build in-session profiles for end users for risk analysis and post incidence triage.

To enable the clipboard telemetry and transmission of clipboard logs to Citrix Analytics for Security, you need to create registry keys and configure your VDA accordingly.

For more information, see the following article/blog:

• Enabling clipboard telemetry for Citrix DaaS
• Uncover VDI and DaaS data risks with in-session clipboard monitoring

With this feature, you can now specify a time slot to schedule a configuration update. To do this, you can use the PowerShell command Schedule-ProvVmUpdate.  Any power cycle other than scheduled time slot will not trigger configuration updates.  You can also cancel the update before the scheduled time using Cancel-ProvVmUpdate. 

You can schedule and cancel configuration update of:

• A single or multiple VMs
• An entire catalog

Citrix supports group based (AAD and SAML) administrator access to cloud platform functions.

When you add an AD administrator group to Citrix Cloud, you can select permissions from the General category to allow access to specific areas of the management console, such as Licensing and Resource Locations.

We are excited to announce newly designed Citrix Secure Hub for iOS app store experience! The Citrix Secure Hub app store improvements include the following:

• App installation flow: This simplifies the installation process of optional apps using Citrix Secure Hub for iOS.
• Categories carousel: You can group app categories to let users access only certain apps, stores, or web links on a scrollable carousel.

More information can be found in this blog. 

Users will now be able to install the Zoom media plug-in via the Citrix installer to help simplify the installation process and enhance the user experience. For more information, see Client App Management for Zoom plug-in.

This release provides an enhanced user experience while reconnecting to virtual apps and desktops from which you got disconnected.

When Citrix Workspace app attempts to refresh the disconnected Citrix Workspace app or start new virtual apps or desktops as a part of the Workspace Control feature, "Restore Session" prompt will appear.

This prompt appears only when the show reconnection prompt to reconnect sessions is set to true in the Global App Configuration service.

Click Restore to reconnect to open new and disconnected virtual apps and desktops. If you want to start only newly selected apps and desktops, click Cancel.

You can also select Remember my preference to apply the selected preference for the next login.

The preceding new Restore session? prompt appears only if:

• the user tries to start an app belonging to a workspace store,
• admin policies or app config settings are not configured for the Workspace Control feature,
• Workspace Control Reconnect options are set to default on the client.

Users now have the ability to push settings to Workspace App running on managed iOS / iPAD device MDM Solutions

The inactivity timeout feature signs you out of the Citrix Workspace app based on a value that the admin sets. Admins can specify the amount of idle time that is allowed before a user is automatically signed out of the Citrix Workspace app. You’re automatically signed out when no activity from the mouse, keyboard, or touch occurs for the specified interval of time, within the Citrix Workspace app window. The inactivity timeout does not affect the already running Citrix Virtual Apps and Desktops and Citrix DaaS sessions or the Citrix StoreFront stores. This feature is applicable only on cloud deployments.

The inactivity timeout value can be set starting from 10 minutes to 1440 minutes. The interval to change this timeout value must be in multiples of 5. For example: 10, 15, 20, or 25 minutes. By default, the inactivity timeout isn’t configured. Admins can configure the inactivityTimeoutInMinutes property by using a PowerShell module.

For more information on how to configure InactivityTimeoutInMinutes, see Inactivity Timeout for Citrix Workspace app section.

This feature is available in version 2303 and later.

The Cloud Connector advanced health metrics allows insights into the health of Cloud Connectors and the raising of notifications for certain functionality. This development will make the same data available on authenticated endpoints so that administrators are able to configure their own monitoring and alerting solutions. Once available, APIs will be documented in the Citrix Cloud Developer Portal.

The Search option allows you to do a quick and intuitive search from within the Workspace app.

It includes the following improvements:

• Default search displays the five most recently used apps or desktops
• Searches are enabled with spellcheck, and display auto complete results
• Search results include apps within virtual sessions based on recently accessed, and Web and SaaS apps.
• Search by Categories
• Search result lists the favorites at the top.

Users will now be able to see all of their running app and desktop sessions in a quick access menu within Workspace and will be able to interact with them. This new feature will offer an easy-access, simple-to-use drop-down interface right at the top next to profile icon. Users will see a list of running app and desktop sessions, not just from the local device but also those started on other devices. They can also disconnect apps and log off desktop sessions from their mobile devices on the go.

For more information, see Activity Manager on our product docs: https://docs.citrix.com/en-us/citrix-workspace/get-started/activity-manager.html 

On the Citrix Workspace app, the administrators the ability to enable or disable the Home page for user groups, which allows the users to view and organize their apps better. The Apps tab next to the Home tab lists all the apps alphabetically, with the favorite apps pinned at the beginning. You see several admin created categories below the navigation tab and by default, all these categories are visible.

When you launch the downloaded Citrix Workspace app or Citrix from a browser for the first time, you're prompted with a screen that lists the relevant apps. These apps are decided by the admin, and you can add these apps as favorites with a single click.

NetScaler advanced authentication policy (nFactor) is now supported for mobile application management (MAM) on the iOS and Android platforms. 

By leveraging nFactor, customers can elevate the security posture for their iOS and Android enrollments with multi-factor authentication. Whether you want to fully manage mobile endpoints (MDM + MAM) or allow personal devices to access corporate apps and data (MAM only), nFactor delivers extra security validation. More information can be found in this blog.  

Version check will grant Administrators the ability to allow/deny user login based on Citrix Workspace app version. This feature will help with preventing users with older Citrix Workspace app versions that may have known issues and vulnerabilities from accessing corporate resources. 

For more details, read Device Posture. 

We’re excited to share that the first new Citrix Endpoint Management feature of 2023 is IdP enrollment for MAM. Now with this feature, no matter what their preferred enrollment mode, customers can take advantage of the security, compliance and experience benefits that come with Citrix Endpoint Management and IdP-based enrollment. We currently support Okta and AzureAD as IdP. More information can be found in this blog. 

Administrators can now manage the auto-updated version of Citrix Workspace app for the devices in the organization. Administrators can control the version by setting the range in the maximumAllowedVersion and minimumAllowedVersion properties in the Global App Config Service.

Example JSON file in Global App Config Service can be viewed here.

When the range is set, Citrix Workspace app on the user’s device is automatically updated to the highest available version that falls between the mentioned range.

If you want to auto-update Citrix Workspace app to a specific version, enter the same version in the maximumAllowedVersion and minimumAllowedVersion properties in the Global App Config Service.

You can provide feedback for this technical preview by using the Podio form.

Previously, there was no option related to USB auto-redirection settings to set the end user preferences. As administrators control these policies, the end user has to manually redirect required USB devices on every session launch.

Starting with the 2301 version, the end user can select a preference for auto-redirection for any USB device within a Virtual Desktop session. Citrix Workspace app now provides app-level settings, where the end user can control the USB auto-redirection. The end user can set preferences and can save the setting across session launches.

There are two options: one at the session launch and the other while the session is ongoing.

Starting with 2301 release, the opening of Citrix resources has been enhanced to be more intuitive, informative, and user friendly.

The launch progress notification now appears at the bottom-right corner of your screen. A progress status of the resources, which are in the process of being opened is shown. You cannot retrieve the notification once you dismiss it. The notification stays for a few seconds from the time you start the session. If the session fails to start, then the notification shows the failure message.

You can provide feedback for this technical preview by using the Podio form.

Starting with the 2301 version, Citrix Workspace app supports double-hop scenarios. This feature is an enhancement to USB redirection.

For more information, see Double hop in the Citrix Virtual Apps and Desktops documentation.

Citrix Secure Access client now supports single sign-on for the Workspace URL when already logged in via Citrix Workspace app. This SSO functionality enhances the user experience by avoiding multiple authentications. For details, see Single sign-on support for the Workspace URL.

Citrix Session Recording service allows you to install Session Recording servers from within the cloud and allocate sites to the servers.

Previously, you could connect only existing Session Recording servers to the Session Recording service. The new feature enables you to connect any machine to the Session Recording service and then install the Session Recording server component onto it from within the cloud. After the installation completes successfully, the machine becomes a Session Recording server that is connected to the Session Recording service. To do so:

1. Prepare a machine and install the Session Recording cloud client on it.
The machine is automatically connected to the Session Recording service, appearing in the Unallocated servers list on the Server Management page.
2. Check that the status of the machine is Ready to install, and then click the installation icon. The installation wizard appears.
3. Follow the wizard to install the Session Recording server component on the machine.

The new feature removes the need to download the Citrix Virtual Apps and Desktops installer or the SessionRecordingAdministrationx64.msi file. It also checks it is domain joined and certificate bound to prevent issues that might keep Session Recording servers from functioning after being connected.

When you create a catalog to provision machines using Machine Creation Services (MCS) in Google Cloud, you can now use MachineProfile property to capture hardware properties from a virtual machine and apply them to newly provisioned VMs in the catalog. 
When MachineProfile parameter is not used, hardware properties are captured from the Master Image VM or snapshot. For more information, see Create a machine catalog using a machine profile.

Auto-tagging allows administrators to set and remove tags on various DaaS objects automatically, based on custom rules. This eliminates the need to maintain different scripts that run periodically for environment optimization.

With auto-tagging, administrators can implement rules relevant to their business drivers, such as reducing costs, optimizing the infrastructure, and driving consumption. For example, administrators can define rules for:

• Dedicated workloads that have not been used in more than a pre-configured number of days so that they can be released to the available pool.
• Applications that have not been used for more than a pre-configured number of days to reduce application clutter.
• Users who have not logged on for more than a pre-configured number of days so that their resources can be reclaimed.

This feature is available through PowerShell. For more information, visit https://developer-docs.citrix.com/projects/citrix-daas-sdk/en/latest/Broker/New-BrokerAutoTagRule/.

When you create a catalog in Azure environment, you can now specify the page file setting, including the location and size, explicitly using the  PoSH command. This will override the value determined by MCS. You can do this by running New-ProvScheme command and including the following custom properties:

• PageFileDiskDriveLetterOverride: Page file location disk drive letter
• InitialPageFileSizeInMB: Initial page file size in MB
• MaxPageFileSizeInMB: Maximum page file size in MB

For more information, see Update page file setting.

In Azure environments, this feature tags catalog resources using ProvSchemeID for resources created for a particular catalog. This enables proper tracking of resources within the scope of a single catalog. For more information on the tags that MCS adds to the resources, see Identify resources created by MCS.

In Full Configuration, when you create a catalog, an Azure Active Directory joined identity type is now available in Machine Identities. With that identity type, you can use MCS to create machines that are joined to Azure Active Directory. You also have an extra option, Enroll the machines in Microsoft Intune, to enroll the machines in Microsoft Intune for management.

Using Full Configuration, you can choose the Linux OS license type when creating Linux VM catalogs. You have two choices for bring-your-own Linux licenses: RHEL_BYOS and SLES_BYOS. The setting defaults to Azure Linux licensing.

Access assurance dashboard - Logon Network

The Logon Network section is newly added and provides the following user details:

• The organization's associated with the IP addresses from which the users have logged on.
• The total unique public subnet and private subnet from where the users have logged on.
• The details that the user has logged on using proxies and private VPN services.

Using these additional details, an administrator can validate the user logon details and ensure that the user logon is within the security expectation of the organization.

For more details, see Access Assurance Dashboard.

A new Notifications tab in Account Settings allows administrators to configure their preference to receive email notifications. Previously, notifications were configured in Account Settings > My Profile.

Today, anyone who isn't a Citrix Cloud administrator can't receive these email notifications. Certain business user segments need to receive these notifications without being granted administrator rights to Citrix Cloud. This functionality is now added to the Notifications tab.

Only full access administrators can access the Notifications feature to add or remove users. For more information, see Receive Email Notifications in the Citrix Cloud documentation.

With this feature, in Azure environments, you now have an option to change the storage type to a lower tier at shutdown and restore the storage tier when the VM is powered on. This saves on storage cost while the VM is shut down. The storage performance might also be impacted at start time. For persistent VMs, the OS disk is changed to the selected storage type at shutdown and restored to the defined storage type at power on. For non-persistent VMs, if MCSIO is enabled and persistence is selected, OS disk and WBC disk are changed to the selected storage type at shutdown and restored to the defined storage type at power on.
For more information, see Change the storage type to a lower tier when a VM is shut down.

Citrix Analytics for Performance continuously monitors Virtual Delivery Agents (VDAs) enabling administrators to understand VDA availability and identify root causes for VDA failures. Previously, we introduced Machine States, a timeline of state changes for a VDA that includes failures identified by the Citrix control plane. However, if the cause of the failure is complex, specifically issues with configuration, connectivity, or policies, there may not be sufficient details available through Machine States to determine the root cause.

Introducing the WEM Health Check action inside Citrix Analytics for Performance

The WEM Heath Check option specifically targets scenarios where a VDA is unavailable and sufficient details from the control plane are not available to identify the specific problem. Citrix Analytics for Performance can now execute an expert script, available from Citrix Workspace Environment Manager called Cloud Health Check, verifying the health of your VDAs through a series of diagnostic tests. These scripts can identify possible causes for VDA registration failures, session launch issues, and many other scenarios that could cause unexpected outages. Admins with full administrator permissions in Citrix Analytics for Performance can trigger the WEM Cloud Health Check script (runs under the local system account on the agent host) without switching management consoles through the Actions menu (shown in the image below).

Administrators can see the results of the WEM Health Check in the Citrix Analytics for Performance console and determine root cause for the unavailable VDA, saving time from switching between management consoles and different troubleshooting tools. As illustrated in the image below, the WEM health check identifies the cause of failure as DNS configuration and includes a reference to the Knowledge Base article to help resolve the problem.

For more information regarding:

• Using the WEM Task Health Check action in Performance Analytics, see WEM Tasks - Health Check section in the Citrix Analytics for Performance documentation.
• The WEM Task Health Check, see Scripted Tasks in the Workspace Environment Management documentation.

The experience for adding administrators' access in Identity and Access Management now includes the following improvements:

• New "Add Administrator/Group" button which uses a blade interface and a 3 step process to more easily add individual administrators and administrator groups.
• Searchable permissions make it easier to find what you need, reducing the need to scroll through a long list. 

Admins can set up a message/'banner' for users for a certain time duration at the bottom also. Usually this is used for maintenance notifications and other updates.

Ensuring your virtual apps and desktops powered by Citrix DaaS are up and running requires a two-pronged strategy. The first one involves being reactive, using the alert rules from DaaS monitor and insights from Citrix Analytics for Performance - to know when issues arise, and metrics begin to deteriorate. The second strategy involves being proactive, using application probing and/or desktop probing from DaaS Monitor, and doing periodic synthetic virtual app or desktop launches to validate that your environment is working well. And now we are making the probe functionality in DaaS Monitor even better to set up and manage.

Schedule app and desktop probes to run when you want and for the period you want

After downloading and setting up Citrix Probe Agents 2209 or above, you can now configure application and desktop probing to be executed via Citrix DaaS Monitor the way you want. But now unlike earlier, you can configure the application or desktop probing in Citrix DaaS Monitor with a schedule - specifying the days of the week on which they should be run, at what time the probe should start, whether to re-execute probes periodically and finally, when the probes should stop running.

Consider an admin, who wishes to check via Citrix DaaS if the virtual desktop is working before starting the weekday morning shift (say from 9 am to 1 pm).  Then after installing and setting up the Citrix Probe agent, the admin can configure Desktop Probe in Citrix DaaS Monitor from 8:37 AM until 12:37 PM every 15 minutes on Monday, Tuesday, Wednesday, Thursday, and Friday. Create a configuration similar to the image shown below.

The above Desktop Probe configuration would have the probe agent launch a synthetic desktop session at 08:37 am, 08:49 am, 09:04 am, 09:19 am and so on till 12:37 pm every Monday, Tuesday, Wednesday, Thursday, and Friday. The last launch time will be 12:37 PM.

Impact of session execution from Probes on Director

When the earlier version of probe agent launched synthetic sessions, it was often considered as a logon to DaaS Monitor or Citrix Virtual Apps and Desktops Director - which could have adverse impact on admin usability if probes were running at high frequency. But now with the new version Citrix Probe Agent, we have optimized to reduce the number of calls made to DaaS Monitor or CVAD Director - so using the new scheduling functionality for Probes will have minimal impact on the usability of Monitor or Director console.

Citrix Session Recording service has reached General Availability! The introduction of the Session Recording service provides an advanced administration experience and simplifies deployment. It supports centralized management of server settings, policies, and playback. In addition, it facilitates administrative tasks by providing a unified entry point to manage and observe the Session Recording servers across your organization. Onboarding an existing 1912 LTSR deployment is also supported so that you don't have to upgrade to 2203 or later.

Until now, Citrix provided a disk image and accompanying script to support deploying the Connector Appliance in cloud services.

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/connector-appliance.html#install-connector-appliance-on-your-hypervisor

With this change the Connector Appliance is available within the Google Cloud Platform (GCP) marketplace and can be deployed directly without the need for a script.

CSPs can control which administrators can access the customer dashboard. The Customer Dashboard (View Only) permission allows custom access administrators to view customer information in the dashboard. Only full access administrators can add new customers. 

For more information, see Modify administrator permissions in the Citrix Cloud product documentation.

VDI Insider threat Monitoring with SIEM Date Source events export{}

You can now leverage the new Data events export workflow to export data source events in addition to the machine-learning generated risk insights events and associated data.

This enables Security and Security operations (SOC) admins to:

• Correlate data from Citrix Analytics (Citrix in-session VDI events) with organization’s networks, servers, endpoints, SaaS and other digital assets, aggregated on security information and event management (SIEMs)
• Control what data events flow to SIEMs for storage cost optimization

The data events are delivered to your existing SIEM integrations and data connectors and in parity to what is available on our Self-service event search view.

For more information, see Data events exported from Citrix Analytics for Security to your SIEM service.

Allow administrator to run dynamic session recording action on Citrix DaaS sites

Administrators can now trigger dynamic session recording actions on Citrix DaaS sites and dynamically record users' virtual sessions through Citrix Analytics. They can configure the action with a policy to automatically start recording user sessions in case of a risky activity by a given user gets detected by Citrix Analytics for Security.

Starting with this release, when you download the Universal Architecture build, you have the option to select between the Apple Silicon and Intel builds to support both, the Apple Silicon and Intel based Mac machines.

On Apple Silicon machines, the users have the option to automatically update the Intel build even after having downloaded the Apple Silicon build. The option is provided in the Preferences tab.

Admin feedback for Risk indicators occurrences{}

Citrix Analytics for Security administrators can now report user risk indicators as helpful or not helpful by providing feedback on the indicators details panel. This feature enables administrators to report false positives, reduce noise for frequently triggered indicators, and share additional context with other administrators. As an additional outcome, the unhelpful risk indicator is hidden from the user’s timeline, and the user risk score is recalibrated.

For more information, see Provide feedback for User Risk indicators.

Previously, clicking virtual apps in the Citrix Workspace app triggered the Citrix Viewer where these apps would be available. If you open many apps, the apps or its instances opened in the Citrix Viewer. You can view the open apps by right-clicking the Citrix Viewer icon.

Starting with this release, when you open virtual apps, they appear in the Dock with their respective icons and are easily identifiable. You can then access the virtual app from the dock itself. If you open multiple instances of an app, these instances are not duplicates in the Dock but are grouped within one instance in the Dock.

Previously, in Azure environments, you could only select an image within your subscription to create a machine catalog. With this feature, if an image is shared by an another subscription through the Azure Compute Gallery, you can select the image to create a machine catalog. All subscriptions must belong to same tenant.

You can also browse through one or multiple subscriptions if they share images with your subscription.  

The Citrix Workspace service continuity feature is now supported for the Safari browser. Users must install Citrix Workspace app for Mac and the Citrix Workspace web extension.

Service continuity removes (or, if not possible, minimizes) the dependency on the availability of the components involved in the connection process, allowing users to connect to their virtual apps and desktops regardless of the cloud services' health status.

In addition to archiving and deleting recordings manually, you can now schedule site-level tasks to automatically archive and delete recordings on a regular basis. The enhancement simplifies administration and helps organizations improve efficiency and save costs.

Access assurance to support geofence blocklist

The Safe and Risky location configurations are added under the Geofence settings in Access Assurance

• Safe location geofencing helps to identify and restrict access outside of a defined geofenced area.
• Risky location geofencing helps to detect and narrow down risky user access as per the organizations’ known behavior.

Both Safe and Risky geofencing are backed by their own pre-configured custom risk indicators.

With this change, Citrix adds Nutanix AHV to the list of hypervisors that can host the Connector Appliance.

Until now, Citrix provided a disk image and accompanying script to support deploying the Connector Appliance in cloud services.

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/connector-appliance.html#install-connector-appliance-on-your-hypervisor

With this change the Connector Appliance is available within the Amazon Web Services (AWS) marketplace and can be deployed directly without the need for a script.

Until now, Citrix provided a disk image and accompanying script to support deploying the Connector Appliance in cloud services.

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/connector-appliance.html#install-connector-appliance-on-your-hypervisor

With this change the Connector Appliance is available within the Microsoft Azure marketplace and can be deployed directly without the need for a script.

You can now restrict access to selected recordings from within the Session Recording service. In addition to playback permissions, this feature provides more granular access control. Restricted recordings are not accessible to Session Recording read-only administrators — Citrix Cloud administrators assigned only the Session Recording-ReadOnlyAdmin, All role.

Within an HDX session, users can authenticate using password-less FIDO2 security keys. FIDO2 security keys provide a seamless way for enterprise employees to authenticate to virtual apps or desktops that support FIDO2 without entering a user name or password. For more information about FIDO2, see FIDO2 Authentication.

NOTE:

If you’re using the FIDO2 device through USB redirection, remove the USB redirection rule of your FIDO2 device from the usb.conf file in the $ICAROOT/ folder. This update helps you to switch to the FIDO2 virtual channel.

By default, FIDO2 authentication is disabled. To enable FIDO2 authentication, do the following:

1. Navigate to the <ICAROOT>/config/module.ini file.
2. Go to the ICA 3.0 section.
3. Set FIDO2= On.

This feature currently supports roaming authenticators (USB only) with PIN code and touch capabilities. You can configure FIDO2 Security Keys based authentication. For information about the prerequisites and using this feature, see Local authorization and virtual authentication using FIDO2.

When you access an app or a website that supports FIDO2, a prompt appears, requesting access to the security key. If you’ve previously registered your security key with a PIN (a minimum of 4 and a maximum of 64 characters), then you must enter the PIN while signing in.

If you’ve registered your security key previously without a PIN, simply touch the security key to sign in.

Limitation:

You might fail to register the second device to a same account using FIDO2 authentication.

This feature is available in version 2303 and later.

The Connector Appliance now provides functionality to connect a resource location to forests that do not contain Citrix Virtual Apps and Desktops resources. For example, in the case of Citrix Secure Private Access customers or Citrix Virtual Apps and Desktops customers with some forests only used for user authentication.

The Connector Appliance can be used to connect your resource location to Active Directory forests in the following situations:

• You are setting up Secure Private Access.
• You have one or more forests that are only used for user authentication
• You want to reduce the number of connectors required to support multiple forests
• You need a Connector Appliance for other use cases

More information can be found at https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/connector-appliance/active-directory.html

The Secure Private Access dashboard now provides detailed visibility into several user metrics such as app usage, top app users, top apps accessed, diagnostic logs, and so on. For details, see Dashboard.

Impossible Travel Risk indicator

The Impossible Travel risk indicator detects anomalies on accesses highlighting potentially compromised users or risk of shared credentials. The indicator also reports the registering organization and routing type of the client IP addresses. Administrators can analyse the risk indicator details in the user timeline view and in the events exported to SIEM.

Citrix Cloud offers an alternative method for configuring administrator access. After configuring the SAML 2.0 IDP connection in Citrix Cloud, any synced Active Directory-backed groups can be added as Citrix Cloud administrators with custom access permissions. These permissions include access to the Citrix Cloud management console and Citrix DaaS roles and scopes. For more details see Manage administrator groups.

The limit on the number of rows that you can export using the Export to CSV format feature on the Self-service pages is now increased from 10K rows to 100K rows.

In VMware virtualization environments, previously you could capture the folder ID from the master VM and use that for creating VM in catalog. The folder ID was not changeable. With this feature, when creating a MCS machine catalog, you can now set a desired folder ID for the catalog. You can also change the folder ID after you create the catalog by specifying the FolderID custom property in the Set-ProvScheme command. When the folder ID changes, only the new VMs will be created inside the new folder. Existing VMs remain in the old folder.

The Cloud Connector installer now supports the use of the system default browser where Internet Explorer is not available on the system. By default, the installer uses Internet Explorer where available as it provides a more streamlined experience. If this browser is not available, the installer falls back to using the default browser installed on the system.

While most users are not affected, users who have configured their operating system’s usable ciphers may need to review and update this configuration to ensure that the ciphers available include those supported by the new traffic ingress method.

For TLS 1.2, the following cipher suites are supported. At least one of these must be enabled on all systems making contact with Citrix Cloud, including Cloud Connectors and FAS systems.

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

More details can be found at https://support.citrix.com/article/CTX335879

An event called VDA.Print triggers when a printing job is initiated in Citrix Apps and Desktops. The VDA Print events are also available on Self-service search and Custom Risk Indicators pages.

• Self-service search: You can view the VDA.Print results along with all its attribute details.
• Custom Risk Indicators: New events are provided for VDA print telemetry via EventHub and are available within Custom Indicator as well. You can use these event key/value pairs to configure custom indicator triggers.

To enable the print telemetry and transmission of printing logs to Citrix Analytics for Security, you need to create registry keys and configure your VDA. These printing logs provide vital information about printing activities such as, printer names, print file names, and total printed copies. As a security administrator, you can use these logs to analyze the risk and investigate your users.

For more information, see Enabling print telemetry for Citrix DaaS.

You can now customize the content of the email sent to end-users per policy. Specifically, when you create a policy with the Request End User Response action or a disruptive action on the user’s account (such as Log Off user and Lock user), the email content sent to end-users when the policy is applied is customizable.

For more information on customizing the end-user mail per policy, see Policies and Actions.

You can now view your most recently used or favorite apps and desktops or open a Citrix Enterprise Browser window by clicking the Citrix Workspace icon in the menu bar. This feature provides easy access to some of your resources without having to open the Citrix Workspace app.

If you’ve not configured any accounts, a sign-in prompt appears.

A maximum of 5 of your recently used or favorite apps or desktops appear in the options under the Recent and Favorites tabs respectively. To view the other apps in the Citrix Workspace app, click View all applications. To view the other desktops in the Citrix Workspace app, click View all desktops.

You can open the Citrix Workspace UI by clicking the Citrix Workspace app icon.

You can open the Citrix Enterprise Browser, without opening a web or SaaS app by clicking the Citrix Enterprise Browser icon.

You can view the following options when you click the Account icon in the top-right corner:

• Preferences
• Check for updates
• About
• Quit

The Licensing management console has been redesigned to provide an improved user experience for Citrix Cloud administrators. The new console layout provides an at-a-glance view of supported services, so you can easily navigate to the information you need. The display of licensing information is more focused, so licensing details are easier to find and load faster. 

With this feature, in Azure environments, you can now create a MCS machine catalog using an Azure marketplace image directly.

Citrix Analytics for Performance scans for black hole machines every 15 minutes and sends out an alert to enable administrators to proactively mitigate session failures faced by users due to black hole machines. Machines that have failed to service four or more consecutive session requests are termed Black hole machines. With black hole failure alerting, administrators need not be logged into Performance Analytics to know the session failures that occurred due to black hole machines. Details of the machines and the session failures caused by them are sent in the alert emails to administrators. The Black Hole Machines alert policy must be enabled to receive these emails.

For more information about Black Hole Machine Alerts, see the Alerts article.

The experience for managing administrators' access in Identity and Access Management includes the following improvements:

• New blade interface keeps you focused on the task at hand, instead of opening a separate page.
• Searchable permissions make it easier to find what you need, reducing the need to scroll through a long list. 

To provide administrators the most feature rich experience for viewing and creating support tickets from within the Citrix Cloud (CC) console, the Support Ticket options are changing.

The Support Tickets console menu option will redirect administrators to the My Support site to manage support cases directly. For customers with a support entitlement, the "Open a ticket" console button and help menu option (which redirects to the My Support site today) remain unchanged. See the Citrix Product Documentation site for more information. However, for customers without a support entitlement, the "Open Tickets - View All" tile will no longer be available.

Insights on overloaded machines are available on the User Experience dashboard.

Machines that have experienced sustained CPU spikes, high memory usage, or both, that have lasted for 5 minutes or more, resulting in a poor user experience are considered to be overloaded. The Overloaded Machines insight shows the number of overloaded machines causing poor user experience and the number of users affected during the selected duration.

For more information, see Overloaded Machine Insights.

An Overloaded Machines alert mail is sent to administrators when a new overloaded machine is detected in the environment in a 15 mins interval. A realert mail is sent if the same machine remains in the overloaded condition after 24 hours. The administrators are realerted up to three times regarding machines that continue to be overloaded. Pro-active alerting helps administrators who are not currently logged on to Citrix Analytics for Performance detect and handle overloaded resources.

For more information, see Overloaded Machine Alerts.

Previously, Session Recording service required the 2203 version of Session Recording servers or later. To avoid your upgrade effort for onboarding Session Recording service, it is enhanced to be compatible with the 1912 LTSR.

You can now archive and delete recordings using the Session Recording service. When archiving recordings, you can choose to move the recording files to a different location from the one configured through Restore directory for archived files in Session Recording Server Properties. When deleting recordings, you can choose to also delete the recording files along with the database records. For information about the Restore directory for archived files setting, see Specify where recordings are stored. For information about the archiving and deletion operations, see Search for recording.

With this release, the display resolution and DPI scale values set in the Citrix Workspace app match to the corresponding values in the virtual apps and desktops session. You can set the required scale value in the Linux client, and the scaling of the VDA session is updated automatically.

DPI scaling is mostly used with large size and high-resolution monitors. This feature helps to display the following in a size that can be viewed comfortably:

• Applications
• Text
• Images
• Other graphical elements

Limitation:

Currently, the DPI matching feature does not support the fractional scaling on the client side. If the DPI scale value is high, the Microsoft Teams optimization might not support as expected.

For more information on how to enable this feature, see Support for DPI matching.

Use Citrix Cloud Licensing APIs to release expired cloud service licenses such as licenses Citrix DaaS, Citrix DaaS Standard for Azure (formerly Citrix Virtual Apps and Desktops Standard for Azure), Citrix Endpoint Management, or Citrix Secure Private Access.

For more information, see APIs to manage Citrix cloud licensing.

Citrix Cloud Licensing supports multi-type licensing for Citrix DaaS Standard for Azure. If you use both User/Device and Concurrent licensing models in a single Citrix Cloud account, license usage for each licensing model is displayed in separate sections in the Licensing console. For more information, see Monitor licenses and active use for cloud services.

The Machine Statistics page now includes information on Machine States. The States tab shows the timeline of Machine Aggregated State and Machine Power Category plotted at 15 min intervals for the last 24 hours. Clicking an Aggregated State data point helps understand how it was calculated. A breakdown of the actual values of Machine State and Maintenance Mode that resulted in the plotted Aggregated State is displayed. This helps comprehend the machine’s state changes over time. Failure Type and Deregistration Reason help debug machine issues. Hover over the Power Category data point to see the actual Power State the machine has been in. This feature helps slice and dice important parameters concerning the machines in the environment and spot inefficiencies easily. Along with the Sessions and Processes information already available in this view, the Aggregated State and Power Category transition over time gives in-depth information to troubleshoot machine issues.

For more information, see the Machine Statistics article.

The Citrix Analytics Service Onboarding Assistant tool helps troubleshoot issues while onboarding StoreFront with the Citrix Analytics service. The StoreFront server might fail to connect to Citrix Analytics after importing the configuration settings from Citrix Analytics to the StoreFront server. CAS Onboarding Assistant automates all the checks and prerequisites mentioned in the document, Unable to connect StoreFront server with Citrix Analytics. For more information on the usage and to download the tool, see the Knowledge Center article, Citrix Analytics Service Onboarding Assistant.

Users and sessions that cannot be classified into excellent, fair, or poor categories due to configuration issues or dependencies are classified as Not Categorized. The Know more link below the Not Categorized classification in the User Experience and Session Responsiveness trends displays the primary reasons for certain users and sessions being not categorized. This feature provides the clarity required to quickly discover and fix any configuration issues.

For more information, see the Not Categorized article.

This new functionality brings to the Citrix Cloud interface some of the key metrics, such as process CPU and memory usage, AD call latency, and CBP/NFuse/STA metrics. The feature also adds per-provider connectivity checks, which can alert admins to issues and, in future, can include service-specific information for each component of the Cloud Connector.

For more information, see Cloud Connector advanced health checks.

Starting with this release, Citrix Workspace app allows splitting of composite USB devices. A composite USB device can perform more than one function. These functions are accomplished by exposing each of those functions using different interfaces. Examples of composite USB devices include HID devices that consist of audio and video input and output.

Currently composite USB device redirection is available in desktop session only. The split devices appear in the Desktop Viewer.

Earlier when a device was unplugged and plugged in during a session, the device was auto-redirected. As a result, the device was auto connected to the VDA. With this release, you are required to enable auto-redirection manually through configuration file settings. Auto-redirection of composite USB devices is disabled, by default.

For more information on configuring composite USB device redirection, see the Composite USB device redirection section in the USB documentation.

Citrix Provisioning now allows you to move your Citrix Provisioning workloads to the Google Cloud Platform (GCP). Installing Citrix Provisioning in your Google project is the same as installing it in an on-premises provisioning farm. Citrix Provisioning Servers on GCP can stream VDAs from a single copy of a vDisk to thousands of VMs, which are created with tiny boot disk and cache disk. These VDAs can then be exported and power managed by DaaS. For more information, see Citrix Provisioning on Google Cloud Platform.

A home page is available for Full Configuration, providing an overview of your Citrix DaaS deployment and workloads along with information that helps you get the most from your subscription. The page comprises the following parts:

• Service overview. Provides an overview of your Citrix DaaS deployment and workloads.
• Recommendations. Recommends features that are available with your subscription and collects your feedback.
• What's new. Shows the latest features.
• Preview features. Shows features that are currently in preview.
• Get started. Shows steps to guide you through the initial setup.

For more information, see Home page.

You can now customize the port that the VDA uses to communicate with Cloud Connectors based on your specific security requirements. This feature is useful if your security team doesn’t allow the default port (port 80) to be open or if the default port is already in use. For more information, see Customize the port for communicating with Cloud Connectors.

Previously, customers with new paid entitlement to Citrix Analytics for Security had to turn on Data Processing in the site card of specific data sources to begin processing data for those data sources.

With this release, as soon as the new paid entitlement to Citrix Analytics for Security is provisioned, data processing is turned on by default for the following Citrix cloud services:

• Citrix Secure Private Access
• Citrix Content Collaboration
• Citrix DaaS

For more information, see Getting started.

Licensing for Citrix DaaS and Endpoint Management has been optimized to make it easier to release assigned licenses in bulk. With a single click, customers can display only users and associated devices with licenses that are eligible for release. Customers can then select individual users to release associated licenses as needed.

You can now manage Session Recording servers by load-balancing them across multiple sites and create or activate a policy for all Session Recording servers in a site at a time. Visit What's new - Session Recording service for more details.

The User Experience dashboard shows the classification of connected HDX users and sessions as excellent, fair, and poor. These numbers are now displayed in percentages as well.

Using the License Usage Insights console, CSPs can access a centralized view of ADC license consumption data from the ADM Service.

This information is displayed within a new "ADM Service" console page. CSPs have the ability to view and export this data.

If the user logs on from two locations that are too far apart to travel within the elapsed time, Citrix Analytics detects this activity as an impossible travel scenario and triggers the Impossible travel risk indicator. For more information about the Impossible travel risk indicators, see the following articles:

• Citrix Content Collaboration risk indicators
• Citrix Gateway risk indicators
• Citrix Virtual Apps and Desktops and Citrix DaaS risk indicators

Remove a Service

Prerequisites

• Ensure that your customer scope is not linked to any Citrix Virtual Apps and Desktops objects. If they are linked, you cannot remove the service. To unlink scopes, go to Citrix Studio > Administrators > Scopes and edit the scope.
• To know your customer scope and manage it, see Create and manage scope.

Steps

1. Sign in to Citrix Cloud with your Citrix Service Providers credentials.
2. On the Customer dashboard, click the Ellipsis menu (…) of the customer from where you want to remove a service and select Remove Service. The Service to Remove page appears.
3. Click Remove to remove the service.

For more information, see the product documentation.

On the Security Analytics dashboards and reports and in the data sent by Security Analytics to your SIEM service, all the Virtual Apps and Desktops labels are now updated as Apps and Desktops to align with the rebranded product name.

For example, on the Data Sources page, the Virtual Apps and Desktops labels are renamed as Apps and Desktops.

The Apps and Desktops label represents both Citrix on-premises Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) in your organization.

Service continuity is now supported for Citrix Workspace app for iOS. For more information, see Service continuity.

Service continuity removes (or, if not possible, minimizes) the dependency on the availability of the components involved in the connection process, allowing users to connect to their virtual apps and desktops regardless of the cloud services' health status.

Use Citrix cloud licensing APIs to export data about supported cloud services into Excel or Tableau. You can retrieve the following information:

• Devices
• Users
• Enrollment
• Date that a license was assigned
• The time when a user last logged in to the service

You can also retrieve historical data up to the last 12 months.

For more information, see APIs to manage Citrix cloud licensing.

The blade style is now applied to the final two nodes: Machine Catalogs and Policies. The new wizards appear in blade views with wider viewports, enabling more content to display. The workflows for configuring your settings remain the same.

Poor in-session responsiveness is the primary cause for poor session experience. The Anomalous Latency Alerts feature alerts administrators when there is a significant deviation in the session latency values. The proactive alerting helps administrators identify specific locations or Delivery Groups from which poor sessions might be originating.

A machine learning model is used to determine the baseline latency value for all Delivery Group-Location pairs for a specific customer. The baseline latency value is calibrated every day based on the ICARTT values from the last three days. Any outlier measurements of ICARTT are ignored. If the measured ICARTT has a deviation of 60% or more from the baseline latency value, an alert is generated.

For more information, see the Alerts article

Partners with on-premises Citrix Virtual Apps and Desktops can use Citrix cloud licensing APIs retrieve the following information:

• Number of licenses at a summary level including:
  • Total users
  • Paid users
  • Free users
  • License servers
  • Customers count
• Number of licenses per customer including:
  • Account name
  • Total users
  • Paid users
  • Free users
• Historical data up to 12 months

Partners with Citrix DaaS (formerly Virtual Apps and Desktops service) can use Citrix cloud licensing APIs to retrieve the following information:

• Number of licenses at a summary level including:
  • Total current number of customers
  • Total current number of licenses across all customers
  • Total current number of users across all customers
  • Total current number of license overage across all customers
• Number of licenses per customer including:
  • Organization ID
  • Current total licenses owned
  • Current total users
  • Current license overage
• Historical data up to 12 months

For more information, see APIs to manage Citrix cloud licensing.

Display available hypervisors and cloud services based on the selected zone. In Full Configuration, when creating hosting connections, you're required to select a zone before selecting a connection type.  The Connection type drop-down list displays hypervisors and cloud services available with the zone. (Previously, to ensure the Connection type list shows a required hypervisor or cloud service, you had to install its plug-in in every zone. With this new configuration sequence, you can now install the plug-in only in the required zone.)

Custom Access Roles specific to Citrix Analytics for Performance are now available. As a Citrix Cloud administrator with Full access permission, you can invite other administrators to manage Performance Analytics in your organization using the following roles.

• Performance Analytics- Full Administrator - Assigns full access permission to the Citrix Cloud administrators of Performance Analytics.
• Performance Analytics- Read-Only Administrator - Assigns read-only access permission to the Citrix Cloud administrators of Performance Analytics.

You can provide read-only or full access permissions to your administrators and allow them to manage the various features of Performance Analytics. This update allows you to create administrators and provide access based on a specific CAS offering. The users with the Read Only Administrator role that was available earlier is now renamed to Security & Performance - Read Only Administrator.

Read Only Performance Analytics users can access and use the User Experience and Infrastructure Dashboards like the Full Administrators. However, Machine Actions in the Machine Statistics page is disabled for read-only users. Administrators with read-only access will not receive alert notifications from Citrix Analytics.

The Infrastructure dashboard that shows the availability and performance analytics for virtual machines in your apps and desktops environment has the following enhancements.

• The Infrastructure dashboard is now enhanced to show the current availability of virtual machines. This enhancement gives an overview of the number of machines currently serving users and the number of machines that are unavailable for various reasons. The machine counts in the last known Available machine states (Ready for Use, Active) and Unavailable machine states (Maintenance, Unregistered and Failed) is displayed for the last instance (15 minutes).

• Clicking the machine count opens the Machine Self-service view with the list of machines in the selected state for the last 15 minutes.

• The Machine Availability trend now plots machine counts in aggregated states for the selected period. The aggregated state is the least favorable state that the machine has been in, from among the Ready for Use, Active, Maintenance, Unregistered and Failed states. You can drill down from a specific section on the graph to view details of machines in a specific aggregated state in the Machine self-service view. The Machine Availability trend helps check the number of machines in an aggregated state at a point in time. When used alongside the Session Availability trend, it helps understand the impact of a resource crunch or an outage.

• Trends for one month and one-week periods are now plotted with a 6-hour granularity. You can zoom into the one month Machine and Sessions Availability trends using the time navigator in a 3–7 day range

• The time navigator now reflects the Machine Availability trend. This helps identify time periods with a large number of unavailable machines, so you can easily navigate and zoom into the required period on the trend.

• The tool tips on Machines and Sessions Availability trends are synchronized to help understand the correlation between unavailable machines and failed sessions. 

• The Machines Self-service view has a new facet called Aggregated State, to allow state-based filtering of machines. The view has the machine count displayed for the selected Aggregated States. You can now use the Aggregated State facet or click from the Availability trend, to see list of machines that were in a specific aggregated state for the chosen time.

• New columns are added to the Machines self-service view - Last Known State, and the machine count in each of the selected Aggregated states.

• These enhancements help identify machines in a particular state currently or at a historical time period in Machines Self-service view. They enable better troubleshooting of machines as they give higher granularity of data and help identify machines that need attention easily. For more information, see the Self-Service search for Machines and the Infrastructure Analytics articles.

This feature brings more clarity to the Not Categorized numbers on the User Experience dashboard. The dashboard now shows the breakup of users and sessions in the virtual apps and desktops environment based on the session protocol and the connection status.

The dashboard provides performance metrics for only connected HDX sessions. Sessions that have been disconnected throughout during the selected period indicates that the user was not active for the entire selected period. Hence, Session and User Experience scores are not applicable for disconnected sessions.

With this feature, disconnected sessions and users are no longer in the Not Categorized classification. They are now available in the breakup. This reduces the number of users and sessions in the overall Not Categorized classification. For more information, see Breakup of Users and Sessions.

A Zombie session alert mail is generated when a new machine with zombie session is detected in the environment in a 15 mins interval. Alert mails are sent to full administrators who have enabled email notifications in Citrix Cloud. Re-alerting on the same machine is done only if the same abandoned session persists on the same machine for over 24 hours from the initial detection.

Clicking View machines displays the Self-service view filtered with the list of machines containing Zombie Sessions. Here, Failure Count represents the number of session failures that have occurred in the selected interval. The Last Failure Type and Reason help root cause reasons for machines containing zombie sessions.

You can disable the Machines with Zombie Sessions alert from the Alert Policies tab.

Prerequisites

Ensure that all products in your Citrix solutions are connected and able to send data to your cloud Monitor instance and that you’re running newer versions of Citrix products that incorporate the functionality. For more information, see Prerequisites.

If your user encounters problems establishing a session, Citrix Workspace app displays a unique Transaction ID that you can share  with the admin or IT help desk team. The image below shows a sample error:

When the IT team or helpdesk receives the user’s unique Transaction ID, they can use the Citrix Monitor console to quickly find out where in the Citrix ecosystem and pipeline the problem occurred. They have to open the Citrix DaaS service in the Citrix Cloud console, navigate to the Monitor section, and search using the unique Transaction ID provided by the user, as shown below.

Once they find the Transaction ID details in Monitor, they can view the details of the session that generated the Transaction ID, along with an option to ‘Export logs’ for this Transaction ID as CSV file, as shown here:

The logs contain details of all the Citrix products or services involved when the user initiated a session. The error code is also produced for any failures that might have occurred. Based on the product or component, you can find more details about the error code, the cause of the error and its recommended remediation, in our product documentation.

As a public preview, session launch diagnostics will roll out to all customers using Citrix DaaS on Citrix Cloud in the U.S., E.U. and AP-S regions. No sign-up or change in settings is required for customers to try session launch diagnostics in preview.

A new Studio UI experience where customers can build an inventory of their Citrix master catalog images. Within "Images" customers can create Image Portability jobs to manage these images between different resource locations.

On the Analytics dashboards and reports, all the Secure Workspace Access labels are now updated as Secure Private Access to align with the rebranded product name.

For example, on the Data Sources page and the Self-service search page, the Secure Workspace Access labels are renamed as Secure Private Access.

Citrix Cloud Connector is now supported on Windows Server 2022, the latest version of Microsoft Windows Server.

For more information, see Citrix Cloud Connector Technical Details.

The Session Recording service moves Session Recording control to a Citrix cloud service, providing a unified administrative experience.  You can expect the following benefits from the service:

• Centralized configuration of Session Recording servers
• Simplified configuration of Session Recording policies
• Streamlined playback experience

For more information, see the Session Recording service documentation.

System Log captures a range of events that occur within the Citrix Cloud platform and for supported services. Events appear in a timestamped list and include:

• Adding, modifying, and removing administrators.
• Creating and deleting secure clients.
• Changes in Workspace Configuration settings.
• Registering and updating Citrix Cloud Connector and Connector Appliance.
• Registering on-premises License Servers, managing assigned licenses for cloud services, and exporting license data.
• Secure Private Access configuration changes.

Administrators can retrieve events up to 90 days old and export them to CSV. The SystemLog API is available to retrieve events for a specific time period. You can also connect your Splunk instance to Citrix Cloud with the System Log Add-on for Splunk.

For more information, see the System Log documentation and the System Log blog.

If devices enrolled with Citrix Endpoint Management are inactive for a set period of time, then those devices will be automatically removed from the Citrix Endpoint Management console.

For more information, see Server properties.

Licensing for Gateway service now displays the amount of bandwidth used over the last 30 days for each user. Administrators can see at a glance which users are using the most bandwidth, in addition to total bandwidth usage across all Gateway service entitlements.

Citrix Cloud displays the bandwidth usage for a specific user even when the license for that user has been released. When a Gateway service subscription expires, individual users still show the amount of bandwidth they used in the 30-day period.

For more information, see Monitor bandwidth usage for Gateway service in the Citrix Cloud product documentation. 

Custom property of New-ProvScheme or Set-ProvScheme is a string field. If you specify non-existing custom property or properties, you get an error message. This will help you to avoid potential confusion when custom property input does not take effect.

Azure trusted launch is now available for the Full Configuration management interface. If you choose to select an image with trusted launch enabled, using a machine profile is mandatory. Also, you must select a machine profile with trusted launch enabled. For more information, see Microsoft Azure Resource Manager cloud environments.

In the Full Configuration management interface, when provisioning machines on GCP, you can now retain system disk during power cycles when MCS storage optimization (MCS I/O) is enabled. For more information, see Enabling MCS storage optimization updates.

This feature simplifies the configuration of SSO for internal web apps and SaaS apps while using third party identity providers (IdPs). The enhanced SSO experience reduces the entire process to a few commands. It eliminates the mandatory prerequisite to configure Citrix Secure Private Access in the IdP chain to set up SSO. It also improves the user experience, provided the same IdP is used for authentication to both the Citrix Workspace app and the particular web or SaaS app being launched.

You can register for this technical preview by using this Podio form.

This feature provides more visibility into the client-side network, as several relevant metrics are added in the Sessions Self-service view and the Sessions Statistics view.

Endpoint Link Speed (P95), Endpoint Throughput Incoming (P95), and Endpoint Throughput Outgoing (P95) are introduced as optional columns in the Sessions Self-service view.

You need endpoints running Citrix Workspace app for Windows version 7 2108 or later to view Endpoint Network metrics.

These metrics along with existing values of Network Interface Type, ISP, Bandwidth, Network Latency, Gateway, Connector, and Connector performance statistics help triage the root cause of poor session experience.

For more information, see the Self-Service search and the Session Details articles.

Service continuity is now supported for Citrix Workspace app for Android in general availability. For more information, see Service continuity.

There are two sets of permissions required for security requirements and to minimize risk.

• Minimum permissions: This set of permissions gives better security control. However, new features that require additional permissions will fail because of using minimum permissions.
• General permissions: This set of permissions does not block you from getting new enhancement benefit.

For more information, see About Azure permissions.

We added an option, Use non-persistent write-back cache disk, to the Machine Catalog Setup > Disk Settings page of the Manage > Full Configuration interface. Select that option if you do not want the write-back cache disk to persist for the provisioned VMs. With the option selected, we use the VM’s temporary disk to host the write-back cache disk if the temporary disk has sufficient space. Doing that reduces your costs. For more information, see Microsoft Azure Resource Manager cloud environments.

The AWS host connection default setting values are updated to higher values and most likely same for all AWS cloud platform setup. This helps to create host connections in AWS cloud environments, without evaluating and configuring the default setting values according to individual setup. For more information, see Host connection default values.

Using the Full Configuration management interface, you can now change the following settings after creating a catalog:

• Machine size
• Availability zones
• Machine profile
• Windows licenses

To do that, on the Machine Catalogs node, select the catalog and then select Edit Machine Catalog in the action bar. For more information, see Edit a catalog.

You can now provide the following custom properties in the GCP environments to set the storage type of the disks attached to the newly created VM:

• StorageType
• IdentityDiskStorageType
• WBCDiskStorageType

For more information, see Citrix Virtual Apps and Desktops Service SDK.

Citrix Virtual Apps and Desktops service now allows you to store the Azure ephemeral OS disk either on cache disk or temporary disk for an Azure-enabled virtual machine. This functionality is useful for Azure environments that require a higher performant SSD disk over a standard HDD disk. For more information, see Microsoft Azure Resource Manager cloud environments.

Citrix Virtual Apps and Desktops service supports Nutanix Clusters on AWS. Nutanix Clusters simplifies how applications are run on private or multiple public clouds. For more information, see Nutanix clusters on AWS.

VMware cloud on Amazon Web Services (AWS) enables you to migrate VMware based on-premises Citrix workloads to AWS cloud and your core Citrix Virtual Apps and Desktops environment to Citrix Virtual Apps and Desktops service. For more information, see VMware cloud on Amazon Web Services (AWS).

In the self-service search page, when you select a dimension and a valid operator in the search box, the values for the dimension are shown automatically. Select a value from the auto-suggested list or manually enter a value depending on your use cases. When you type a value, the matching values available in the records are auto-suggested.

The list of values suggested for a dimension is either predefined (known values) in the data base or based on historical events.

For example, when you select the dimension Browser and the assignment operator, the known values are auto-suggested. You can select a value depending on your requirement.

In the Full Configuration management interface, when provisioning machines on GCP, you can now configure the following write-back cache disk settings:

• Disk size
• Memory allocated to cache
• Disk storage type
• Disk persistence

For more information, see Create a machine catalog in the Google Cloud Platform virtualization environments article.

We have updated the wizards in the following nodes with a new style, including colors, fonts, and other formatting changes, to bring you a better user experience: Administrators, Hosting, StoreFront, App Packages, Zones, and Settings. The new wizards appear in blade views with wider viewports, enabling more content to display. The workflows for configuring your settings remain the same.

We added a button, Add Administrator, to the Full Configuration > Administrators > Administrators tab. The button offers a quick way to go to Identity and Access Management > Administrators, where you can add (invite) administrators. For more information, see Add an administrator.

Using the Full Configuration management interface, you can now specify the date after which the application secret expires. For guidance on how to view the expiration date of the secret, see Microsoft Azure Resource Manager cloud environments. When using this feature, consider the following differences:

• For service principals created manually in Azure, you can directly edit the expiration date on the Edit Connection > Connection Properties page.
• For first-time edits of the expiration date for service principals created through Full Configuration on your behalf, go to Edit Connection > Edit settings > Use existing. You can make subsequent edits on the Edit Connection > Connection Properties page.

Using the Full Configuration management interface, you can now run checks that gauge the health of VDAs. VDA health checks identify possible causes for common VDA registration and session launch issues. You can run health checks individually and in batches. For more information, see VDA health checks.

AWS now provides API to allow direct creation of EBS volume with desired content. You can now use the API to eliminate volume worker requirement for catalog creation and VM addition. For information on AWS permissions required for this functionality, see AWS cloud environments.

In the Full Configuration management interface, when provisioning machines on GCP, you can now retain system disk during power cycles when MCS storage optimization (MCS I/O) is enabled. For more information, see Enabling MCS storage optimization updates.

Licensing in Citrix Cloud supports multi-type licensing for the Virtual Apps and Desktops service. If you use both User/Device and Concurrent licensing models in a single Citrix Cloud account, Citrix Cloud shows the license usage for each licensing model in separate sections in the management console. For more information, see Monitor licenses and active use for cloud services.

The Full Configuration management interface now provides you with additional options to control whether to grant custom roles access to Manage and Monitor. For more information, see Create and manage roles.

A new tag named CitrixProvisioningSchemeID is now available to identify AWS resources created by MCS. For more information, see Identify resources created by MCS**.

On the Analytics dashboards and reports, all the Access Control labels are now updated as Secure Workspace Access to align with the rebranded product name.

For example, on the Data Sources page and the Self-service search page, the Access Control labels are renamed as Secure Workspace Access.

After removing a registered Citrix License Server from Citrix Cloud, License Server usage data that Citrix Cloud previously collected is still stored. If you no longer want to keep this data, you can delete it. For more information, see Register on-premises products with Citrix Cloud.

In the Full Configuration management interface, you can now create Nutanix AHV XI and Nutanix AHV PC connections. For more information, see Nutanix virtualization environments.

This release introduces an option to the Machine Catalog Setup > Machine Identities page of the Full Configuration management interface. The option lets you specify numbers or letters the account names start with, giving you more control over how machine accounts are named during catalog creation. For more information, see Machine identities.

In the Full Configuration management interface, when provisioning VMs on GCP, you can now select the storage type for the OS disk. Available storage options on the Machine Catalog Setup > Storage page include Standard persistent disk, Balanced persistent disk, and SSD persistent disk. For more information, see Create a machine catalog.

Citrix Workspace Web extensions make service continuity available to users who access their apps and desktops through a browser. This feature now is supported on devices running Citrix Workspace app for Mac. For more information, see Service continuity.

If you purchase the Citrix Azure Consumption Fund to use resources in a Citrix Managed Azure subscription, Citrix Cloud shows the consumption units that you’ve used, broken down by resource type. For more information see, Monitor Citrix Managed Azure resource consumption for Virtual Apps and Desktops service.

Full Configuration management interface now supports Azure ephemeral disk. Previously, PowerShell was your only choice to create machines that used ephemeral OS disks. We now add an option, Azure ephemeral OS disk, to the Machine Catalog Setup > Storage and License Types page. Select the option if you want to use the VM’s local disk to host the operating system disk. For more information, see Create a machine catalog using an Azure Resource Manager image.

You can now choose Asia Pacific South as a home region while onboarding your organization to Citrix Cloud and use the Citrix Analytics service. For more information, see Geographical Considerations.

Citrix Analytics now stores the user events and metadata of your organization in the Asia Pacific South region when you choose it as your home region. For more information, see Data governance.

For information about the network requirements for the Asia Pacific South region, see Technical security overview.

For information about supported data sources in the Asia Pacific South region, see Data sources.

Protect Machine Creation Services (MCS) managed resources from accidental deletion. You can now protect MCS managed resources on the Google Cloud Platform (GCP) by applying GCP’s deletionProtection flag enabled for the VMs. Using the _compute.instances.setDeletionProtectio_n permission or the IAM Compute Admin role, you can reset the flag to allow the resource to be deleted. This functionality is applicable for both persistent and non-persistent catalogs. For more information, see Protect accidental machine deletion.

Citrix Cloud displays assigned licenses and bandwidth usage for SaaS and web apps that you publish with Secure Workspace Access. View and compare usage trends, download usage data to CSV, and release unused licenses when needed. For more information, see Monitor licenses and usage for Secure Workspace Access.

In the Full Configuration management interface, you can now annotate an image by adding a note for it when updating an MCS-created catalog. Each time you update the catalog, a note-related entry is created whether you add a note. If you update the catalog without adding a note, the entry appears as null . To view note history for the image, select the catalog, click Template Properties in the lower pane, and then click View note history. For more information, see Update a catalog.

You can create and prioritize Workspace themes, and add each theme to different user groups in Workspace Configuration. For more information, see Customize the appearance of workspaces.

The Full Configuration management interface now supports multi-type licensing, letting you specify which license entitlement you want your site (your deployment of a Citrix Virtual Apps and Desktops service product) or a delivery group to use.

• At the site level, you determine which license to use site wide when users launch an app or a desktop on their devices. The selected license applies to all delivery groups, except those configured with a different license.
• At a delivery group level, you determine which license you want the delivery group to use, enjoying the multi-type licensing flexibility and benefits.

For more information, see Multi-type licensing.

Citrix Cloud supports adding Azure Active Directory (AD) administrator groups as Citrix Cloud administrators. Manage administrator access to the Virtual Apps and Desktops service for all administrators in the group using custom access permissions. For more information, see Add Azure AD administrator groups to Citrix Cloud.

In the Full Configuration management interface, when creating a machine catalog, you can now view purchase plan information for master images originated from Azure Marketplace images.

We added an option, Use a host group, to the Machine Catalog Setup > Master Image page of the Full Configuration management interface. The option lets you specify which host group you want to use when provisioning VMs in Azure environments. For more information, see Create a machine catalog using an Azure Resource Manager image.

We introduced the Update Machines option for persistent MCS catalogs in the Full Configuration management interface. The option lets you manage the image or template the catalog uses. When updating a persistent catalog, consider the following: Only machines you add to the catalog later are created using the new image or template. We do not roll out the update to existing machines in the catalog. For more information, see Update a catalog.

We added a setting, Retain VMs across power cycles, to the Machine Catalog Setup > Disk Settings page of the Full Configuration management interface. The setting lets you preserve a provisioned VM when power cycling in Azure environments. For more information, see MCS storage optimization. Alternatively, you can configure the feature by using PowerShell. For more information, see Preserving a provisioned virtual machine when power cycling.

When creating a machine catalog, you can now bind it to a Workspace Environment Management configuration set. Doing so lets you use Workspace Environment Management service to deliver the best possible workspace experience to your users. You can also choose to bind the catalog after you create the catalog. For more information, see Create machine catalogs and Manage machine catalogs.

Citrix Cloud supports using SAML 2.0 as an identity provider for authenticating users to Citrix Workspace. Use the SAML 2.0 provider of your choice with your on-premises Active Directory or use the Citrix Cloud SAML SSO app with your Azure AD. For more information, see Connect SAML as an identity provider to Citrix Cloud.

Subscribers can change their domain password from within Citrix Workspace. Administrators can also provide password guidance to subscribers for creating valid complex passwords in accordance with their organization’s password policy. For more information, see Allow subscribers to change their account password.