In the latest update, Citrix released a new feature called “Reauthentication period for Workspace app”. This enables the Citrix admin to set the reauthentication time for a user. This is one of the most frequently asked questions when I implement Citrix Virtual Apps and Desktops services with Citrix Gateway Services. People authenticate using the defined Identity Provider (IdP) (look here for choosing the correct IdP) and keep signed in, without the need to reauthenticate when they go home and continue to work there.
Yes, they authenticated when they started the Citrix Workspace app, and yes they authenticated when signing into their laptop at home. But for most IT managers it feels strange that when they sign on at the office where conditional access doesn’t require MFA, the user can go home and continue working without authentication with MFA. They think it’s a security risk, which I understand, but everything depends on the security of the mobile device.
Before Citrix released the feature “Reauthentication period for Workspace app” (which currently is in Tech Preview), the only option to control the authentication token is to set it with a GPO or Registry Key. The authentication tokens were designed so a user doesn’t need to reenter their credentials when the system or session restarted. The token is stored encrypted on the device, but it was not possible to set a maximum duration. As of Citrix Workspace app v2106, you are able to disable or enable storing the authentication token on the local device using the Global App Configuration Service
Configuring the Reauthentication period
The default setting requires users to sign in every 24 hours (1 day). You could specify a longer time up to 365 days (I won’t know why you would choose such a long time, but it’s possible). If you specify a longer period than 24 hours, the user always needs to reauthenticate after four days of inactivity.
To change the default reauthentication period, sign in to the Citrix Cloud console, go to the workspace configuration, and select preferences. Scroll down to workspace sessions, where it’s possible to change the current reauthentication period.
Supported Workspace app clients
The following versions of the Citrix Workspace app support this feature:
- Workspace app 2106 for Windows or later
- Workspace app 2106 for Mac or later
- Workspace app for 21.6.5 iOS or later
- Workspace app for 21.6.0 Android or later
Supported authentication methods
Staying signed in to the Workspace app is supported for the following authentication methods:
- Active Directory
- Active Directory plus token
- Azure Active Directory
- Citrix Gateway
I personally would like to set the reauthentication time to a shorter time than 1 day, let’s say 12 hours, this makes it more secure and the user will notice that he needs to sign in again when continuing work after going home. For more information regarding the reauthentication period, see the Citrix docs.