What is SmartAccess?

SmartAccess allows policies and resources to be intelligently applied based on different conditions such as the user’s location and endpoint software.


XenMobile Server SmartAccess allows you to control access to HDX apps based on a device’s device properties, user properties, or installed applications. You do this by using automated actions to mark the device as out of compliance when you want to deny that device access. To use this feature, HDX apps are configured in XenApp and XenDesktop with a SmartAccess policy that denies access to out-of-compliance devices. XenMobile communicates the device’s status to StoreFront using a signed, encrypted tag and StoreFront allows or denies access based on the app’s access control policy.

What Citrix product versions support SmartAccess?
  • XenMobile Server 10.5 or newer
  • XenApp and XenDesktop 7.6 or newer
  • StoreFront 3.7 or newer
How does it work?

When a device is compliant, the XenMobile Server will forward a set of X-Citrix-SmartAccess headers with the following information:

X-Citrix-SmartAcess-Signature The signature of the result of hashing header data.
X-Citrix-SmartAccess-Data The certificate thumbprint used to do the signing so that StoreFront can select the correct certificate for signature verification.
The Timestamp of the request
X-Citrix-SmartAccess-Tag The condition tag header.
X-Citrix-SmartAccess-Farm The name of the XenMobile farm.

 

Example: SmartAccess Headers sent by the XenMobile Server for compliant devices

User-added image

Example: Response from the XenApp and XenDesktop controller

User-added image

If the device is non-compliant, the XenMobile Server does not send any SmartAccess headers. Notice also that the ResponseAppData does not contain any information, as the request does not match the access policy configured in the Delivery Group.

Example: SmartAccess Headers sent by the XenMobile Server for non-compliant devices

User-added image

 

What changes are performed on the XenMobile Server?

Beginning with XenMobile Server 10.5, a new Custom Server Property called, pna.smartaccess.flag, is introduced that enables the SmartAccess support.

User-added image

An automated action must also be configured to verify the device compliance.

Example: Sample automated action

User-added image

What changes are performed on the StoreFront server?

When configuring SmartAccess, the PowerShell command Grant-STFStorePnaSmartAccess must be run on the StoreFront Server.
In the store web.config file you will find the following entry once the command has been completed successfully:

User-added image

To verify if the certificate is installed:
On the StoreFront server, open the Certificate MMC -> Expand Citrix Delivery Services -> Certificates and verify the certificate is installed.

User-added image

 

What happens if the certificate is mismatched or missing?

If applications are not being displayed on a compliant device, you can check the Event Viewer on the StoreFront server for errors.

User-added image

If you see a certificate not found error, you can capture the SmartAccess tags being sent from the XenMobile Server using a network trace, and verify that the thumbprints match between the X-Citrix-SmartAccess-Data header and the Thumbprint of the installed certificate on StoreFront.
If the certificate thumbprint does not match, then, you need to re-export the SAML certificate from XenMobile Server to StoreFront. Note: You can also create a new SAML certificate on XenMobile Server and export it.

User-added image
Additional Resources

CTX220875 – XenMobile 10.5: SmartAccess to HDX – Introduction and Requirements
CTX220877 – XenMobile 10.5: SmartAccess to HDX – How to configure SmartAccess Policy on XenApp and XenDesktop 
CTX220964 – XenMobile 10.5: SmartAccess to HDX – How to Configure Compliance Automated Actions in XenMobile 
CTX220876 – XenMobile 10.5: SmartAccess to HDX – How to Configure the XenMobile SAML Certificate to the StoreFront Store