Application virtualization, IoT and Cloud Computing, Blog of Sacha Thomet

Citrix Workspace App 2307 and FIDO2 Keys

I was delighted when I started testing the new Citrix Workspace App 2307 (still in beta phase) and noticed that Citrix had improved the behavior of the FIDO2 key in the Workspace App for Mac. Previously, handling FIDO keys on macOS was limited, while it was better implemented on Windows. The release notes of the new Workspace App indeed indicated that work had been done on FIDO implementations in this release:

Source: https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/ear.html (21.7.23)

Previously, under Mac, I simply mapped my USB YubiKey into the session and used it that way. However, this is no longer necessary. The function is now queried and passed through on the Mac. When a FIDO key is requested, I see the Mac prompt to enter the password.

I own several YubiKeys, each with multiple passkey identities — one for private use and one for business. However, I’ve noticed that the new feature with one of my keys is causing issues. The problem is that it doesn’t prompt me to choose which identity I want to use within the Citrix session. One key always picks the “correct” business identity, but with the other YubiKey, the system attempts to log me into corporate resources using my Gmail address.

Apparently, the development here is not yet 100% correct and complete. Therefore, after a conversation with Citrix, I learned the command to deactivate this new feature. Until I can use the passkey identity—given that I have multiple identities on the key—I’ll have to wait and loop my USB YubiKey back into the Citrix session through USB passthrough.

If you encounter the same problem, you can deactivate the FIDO feature with this command in the Mac Terminal:

defaults write com.citrix.receiver.nomas Fido2Enabled -bool NO

Update 28.8.23 Citrix reacted fast!

From Citrix Workspace App Version 2308 it’s possible to use multiple Idendities on one FIDO2 Key and choose in the OS inside the VDA Maschine which one should be used.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.