Configure Workspace App using Intune

[David Inglis1709162342]

How can we manage Workspace App settings on a remote Windows device using MDM/Intune?  Obviously default store is the most crucial but also other settings?

 

I have ADMX ingestion working with Intune and can deploy settings, but while deploying the Storefront list does populate the client's registry, it does not have the desired effect on CWA and the 'add account' wizard is still presented at first run as if no store is present.

 

As most of these devices are remote i am trying to populate a Netscaler URL (as per https://support.citrix.com/article/CTX238989).

 

Manually inputting the url in the 'add account' wizard works fine.  I am using SAML AAD/MFA.

 

The user experience i would expect is - when first launching CWA, user is prompted for creds as per auth profile on Gateway vserver.  And then away they go.

 

Is this possible?

 

Thanks.

 

CM

 

[David Inglis1709162342]

Thanks Kasper.  I figured out the OMA-URI pieces and got the ADMX settings deployed by Intune.

 

I didn't want to have multiple 'applications' in Intune, for various business units that use different stores/gateways, just for the installer switch.  I wanted a single installation of CWA as part of base OS deployment, and then to farm out policies containing the different store settings to different AAD groups.

 

This seems to work well so far.

[Maykon Azevedo]

Hi guys, 

 

I got the Store policy applied through the admx ingestion, but this is not being populated in the users profile. I am able to identify registry keys in: "HKLM\Software\Policies\Citrix\Receiver" but there's nothing in "HKCU\Software\Citrix\Dazzle\Sites". 

 

Any thoughts on that ? 

 

Thank you! 

[Kasper Johansen1709159522]

Hi,

 

You should be able to achieve the same result using command line parameters.

 

Like this:

CitrixWorkspaceApp.exe STORE0= HRStore;https://ag.mycompany.com#Storename;On;Store

Mentioned here:
https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/install.html#using-command-line-parameters

[Kasper Johansen1709159522]

Great. OMA-URI is on my very very long to-do list :)

[Giuseppe Marchese1709156259]

Hi there i have the same problem. It would be very nice if you post your solution. 

 

Best Regards

Giuseppe

[Felix Cruz]

@cockneymanc;

While I was able to ingest Chrome and Zoom; I have never been able to duplicate that with Citrix ADMX ingestion. I only see two settings and ICAClient and Device Rules under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault

 

I am currently deploying as a Win32App using cmdline for adding the store and registry entries for Advance Preferences like Shortcut and Reconnect & High DPI

 

If you do not mind, would you be able to post the steps?

[David Inglis1709162342]

Sure.  This took me some time to figure out - but as is the way with these things, is quite straightforward once you know :).

 

First you need to ingest both the citrixbase.admx and the receiver.admx - you can do these both, and the OMA-URI configuration items, in a single Device Configuration Profile.  The CitrixBase ADMX you can copy/paste straight in, but crucially before you copy/paste in the contents of receiver.admx you need to remove the 'ica-file-signing' section.  I got a load of 912 events in the DeviceManagement-Enterprise-Diagnostics-Provider/Admin log on the client, and working through them got me to this point.  So - delete:

 

From the line starting <!-- Start of ica-file-signing.admx-->

To just before the line starting <!-- Start of NS LAN proxy.admx-->

 

With that section removed, you can then paste the remaining content of receiver.admx into it's ADMX Ingestion item.  

 

Once you sync a client and look in "HKLM\Software\Microsoft\PolicyManager\ADMXInstalled\...\Citrix\Policy" you should see both CitrixBase and Receiver entries as per your naming in the ingestion policy entries in Intune.  After a short period of time for the ADMX's to be processed you should then see your potential configuration items under "HKLM\Software\Microsoft\PolicyManager\ADMXDefault\xxx\Citrix-Policy-ICAClient".  These will correspond to the entries you can see in the ADMX files and should help with formatting the OMA-URI paths.

 

You can then stick in OMA-URI items in the same Device Configuration Profile.

 

All the info you need to decipher it all is fortunately documented by Microsoft here:

• https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies
• https://docs.microsoft.com/en-us/windows/client-management/mdm/win32-and-centennial-app-policy-configuration

For specifying the Store (the most common i guess), we can deduce from the ADMX that the element needs to be of the type 'List-ID' which has a specific syntax (see MS links above).  Effectively, it wants a 'grid' structure so two 'columns' separated by the Unicode character 0xF000 which we need to enter as the string &#xF000;

 

So we start with our Store index value (which becomes the name of the registry item), separated by the above string, and then our usual Storefront store value as per https://support.citrix.com/article/CTX238989?recommended.  In my case I am configuring remote devices so will be using a Gateway URL format, with a Store name of SAMLStore, and a description of "Appstore via MDM" so I can follow it in the registry and CWA app.

 

Index = STORE0
Separator = &#xF000;
Storefront string = SAMLStore;https://citrix.company.com#SAMLStore;On;Appstore via MDM

 

So the value to be put into the Intune OMA-URI entry for setting a Store is:

 

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~ICAClient~Storefront/Storefronts

Value: <enabled/> <data id="Storefronts_Part" value="STORE0&#xF000;SAMLStore;https://citrix.company.com#SAMLStore;On;Appstore via MDM"/>

 

Sync the client, check "HKLM\Software\Policies\Citrix\Receiver" and you should have a 'Sites' key with a 'Store0' item and value as per above.

 

Open, or restart, the CWA and the discovery process should start.

 

Hope i've explained that OK.  Good luck!

 

CM

 

 

 

[Oliver Aceves]

Hi there, 

 

Thank you for all the great information. I really learned a lot here. I am having a similar problem and needing some guidance. I was able to successfully ingest the CitrixBase.admx and receiver.admx files. I am trying to figure out the proper OMA-URI for the High DPI settings in the Citrix WorkSpace app. Below is what I have in place and I keep getting a -2016281112 (Remediation failed) eroor. 

 

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~DPI/Policy_DPI

Data Type: String

Value: <data id="scaling_option" value="1"/>

 

Any help is greatly appreciated. Thank you. 

[Felix Cruz]

Oliver Aceves,

 

following David Inglis post, and using 2105 admx, I was able to set the following advance preferences for high dpi.

 

Name: High DPI

Description: set advance preference high dpi to yes 

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~ICAClient~DPI/Policy_DPI

Data type: String

Value: <enabled/> <data id="scaling_option" value="1"/>

 

 

[Felix Cruz]

So follwoig this I was able to set the following


Name: Citrix Base ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Citrix/Policy/CitrixBaseADMX
Data type: String
Value: admx as xml.

Name: Receiver ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Citrix/Policy/ReceiverADMX
Data type: String
Value: admx as xml.
 

Name: Storefront
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~ICAClient~Storefront/Storefronts
Data type: String
Value: <enabled/> <data id="Storefronts_Part" value="STORE0&#xF000;Name;https://storefrontaddress.com;Descrtiption;On;Store"/>

Name: AutoUpdate ltsr 7 days from release
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~ICAClient~AutoUpdate/Policy_EnableAutoUpdatePolicy
Data type: String
Value: <enabled/> <data id="Part_EnableAutoUpdatePolicy" value="True"/> <data id="Part_EnableAutoUpdatePolicy_version" valueName="LTSROnly" value="True"/> <data id="Part_EnableAutoUpdatePolicy_RemindMeLater" value="7" />
 

Name: High DPI
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~ICAClient~DPI/Policy_DPI
Data type: String
Value: <enabled/> <data id="scaling_option" value="1"/>
 

I am encountering trouble with enabling Advance Preferences "Shortcuts and Reconnect" 
-Start Menu Options <enabled>
-Desktop Options <enabled>
-Category Options <enabled> with Start menu Path & Desktop Path enabled.

I see entries in HKLM\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\Citrix~Policy~ICAClient~SelfService\Policy_EnableAppShortCut

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~ICAClient~SelfService/Policy_EnableAppShortCut
Value: <enabled/> <data id="Part_DesktopShortcut_Enable" valueName="PutShortcutsOnDesktop" value="True"/>

I tried many variations on understanding the oma-uri process but no luck. Anyone can assist?