KB43938 - Compatibility with Pulse Connect Secure (PCS) and Citrix Workspace launcher for macOS endpoints.

This article provides information on compatibility between Pulse Connect Secure with Citrix Storefront using the Citrix Workspace for macOS endpoints.



 

With the deprecation of the NPAPI plugin (with most modern browsers), Citrix has decided to introduce a new mechanism called Citrix Launcher to launch remote desktop sessions and applications from the browser when leveraging the Citrix Workspace, previously called Citrix Receiver.

The changes introduced into the workflow are not compatible with Pulse Connect Secure rewrite profiles for Citrix Storefront (excluding HTML5 access), therefore enabling this workflow on the Storefront back end or attempting to use it through rewrite access will result in the sessions not getting launched.
 

Due to the recent changes by Citrix, Citrix Workspace launcher workflow has changed related to download and launching of the ICA files when communicating with Citrix Storefront. Because of this, the ICA file does not get properly processed through the rewriting engine.

This issue is not applicable to:

• Windows endpoints using Pulse Secure Application Manager (SAM) or Citrix Terminal Services (CTS)
• HTML5 deployments for Citrix Storefront

Pulse Secure is actively investigating the code changes necessary to support the Citrix Workspace launcher workflow with the rewriting engine access. Please continue to monitor the following KB for further status updates.

Reference: PRS-387708

Recommended Deployment:

• To ensure a seamless end user experience between Windows and macOS endpoints, HTML5 deployment for Citrix Storefront is recommended.
• If the Citrix Workspace client is required, then leveraging Pulse Secure Application Manager (SAM) for Windows and Java Secure Application Manager (JSAM) for macOS is recommended.

Limitations for macOS deployment:

1. Detection of Citrix WorkSpace client will not work and fail to detect if the client is installed.
2. Due to #1, this will cause the launching of the Citrix Workspace client to fail the first time until the browser is refreshed.
3. It is recommended to enable persistent cookies for the corresponding user role.  Once the browser is refreshed, Citrix provides a cookie to determine how the ICA file was launched and stored as a cookie for 365 days.  If the end user logs out of the PCS device, this cookie will remain stored and avoid the browser refresh scenario in the future.

Workarounds:

1. HTML5 deployment can be used as an alternative connection mechanism within Citrix Storefront. This issue is only applicable to the desktop version of Citrix Workspace.
2. Disabling this workflow in the Citrix Storefront will result in the ICA file being accessed and processed correctly, however since the browser cannot leverage the NPAPI plugin, the file will be getting downloaded instead and the user will have to double click the file to start his session.
3. Utilize a L3 VPN tunnel to access the Citrix Storefront environment with Pulse Secure Desktop client.