Mobile Authentication on IGEL Devices with Citrix Workspace

Mobile Authentication on IGEL Devices with Citrix Workspace

By Monica Jimenez
Posted in Infrastructure, Security
On March 02, 2021

The combinations of authentication apps and thin clients are endless nowadays. With the many different types of technologies out there though, not every combination has been documented. At a recent customer engagement, there was a combination of products that isn’t very common, at least not yet, being implemented in an IGEL environment. 

Customer Environment:

IGEL devices on firmware using the built-in default Citrix Workspace client are deployed within an environment configured for ImprivataID mobile authentication, and managed within the Universal Management Suite 6.0. The goal is to have the mobile application successfully enroll and authenticate within the Workspace client to automatically launch the end user's virtual desktop. The virtual desktop is hosted in a 1912 CU1 XenApp Citrix environment. 

Imprivata offers a two-factor mobile authentication service for remote access called Imprivata Confirm ID, also known as ImpritavaID. This helps users, such as healthcare workers, gain remote access to the company's network, cloud applications, servers and desktops, and other workflows.

When configuring an IGEL device with the Citrix Workspace client, there are a few settings that need to be enabled for successful access, especially when there is a two-factor authentication mobile app involved. With ImprivataID, however, there was a missing piece that isn't so easily found with a basic Google research. After a few setting changes, discussions with experts in the field, and a test run on a few devices, I came up with a successful session profile that I feel will save other technicians in the field some time. Below are the key components that need to be enabled on a session profile within the IGEL UMS console for a successful rollout:

  1. Under Sessions> Citrix> Citrix Global> StoreFront Login
  • Enable Authentication type as Citrix authentication mechanism (instead of IGEL), Smartcard disabled
  • Verify that Relaunch Citrix login after logoff is enabled and checked off
  • If you would like to automatically start a VDI, enable Start following applications automatically after server connection is established and add the device name as it appears in StoreFront.
  1. Under Sessions>Citrix>Citrix Global> Options

Enable HDX Adaptive Transport over EDT and select TCP only - UDP disabled

  1. Verify that Sessions> Citrix> Citrix StoreFront> Login mimics the exact settings under Sessions> Citrix> Citrix Global> StoreFront Login

Key Takeaways:

With all the advancements of authenticator apps, it may be hard to keep up with what settings and combinations can and can't work. That doesn't mean to give up right away though; keep looking and exhaust all your options. Just because it may not be on the latest Google search, doesn't mean it doesn't exist.


Monica Jimenez

Monica Jimenez

Monica has been a Systems Engineer for Gotham since 2014. She has experience in administration, configuration, and monitoring of Citrix environments in multiple industries. In addition to working within the Citrix Virtualization platform, she has experience working with products including Windows Server, Azure, Turbonomic, and IGEL.