What is SmartAccess?
SmartAccess allows policies and resources to be intelligently applied based on different conditions such as the user’s location and endpoint software.
XenMobile Server SmartAccess allows you to control access to HDX apps based on a device’s device properties, user properties, or installed applications. You do this by using automated actions to mark the device as out of compliance when you want to deny that device access. To use this feature, HDX apps are configured in XenApp and XenDesktop with a SmartAccess policy that denies access to out-of-compliance devices. XenMobile communicates the device’s status to StoreFront using a signed, encrypted tag and StoreFront allows or denies access based on the app’s access control policy.
What Citrix product versions support SmartAccess?
- XenMobile Server 10.5 or newer
- XenApp and XenDesktop 7.6 or newer
- StoreFront 3.7 or newer
How does it work?
When a device is compliant, the XenMobile Server will forward a set of X-Citrix-SmartAccess headers with the following information:
X-Citrix-SmartAcess-Signature | The signature of the result of hashing header data. |
X-Citrix-SmartAccess-Data | The certificate thumbprint used to do the signing so that StoreFront can select the correct certificate for signature verification. The Timestamp of the request |
X-Citrix-SmartAccess-Tag | The condition tag header. |
X-Citrix-SmartAccess-Farm | The name of the XenMobile farm. |
Example: SmartAccess Headers sent by the XenMobile Server for compliant devices
Example: Response from the XenApp and XenDesktop controller
If the device is non-compliant, the XenMobile Server does not send any SmartAccess headers. Notice also that the ResponseAppData does not contain any information, as the request does not match the access policy configured in the Delivery Group.
Example: SmartAccess Headers sent by the XenMobile Server for non-compliant devices
What changes are performed on the XenMobile Server?
Beginning with XenMobile Server 10.5, a new Custom Server Property called, pna.smartaccess.flag, is introduced that enables the SmartAccess support.
An automated action must also be configured to verify the device compliance.
Example: Sample automated action
What changes are performed on the StoreFront server?
When configuring SmartAccess, the PowerShell command Grant-STFStorePnaSmartAccess must be run on the StoreFront Server.
In the store web.config file you will find the following entry once the command has been completed successfully:
To verify if the certificate is installed:
On the StoreFront server, open the Certificate MMC -> Expand Citrix Delivery Services -> Certificates and verify the certificate is installed.
What happens if the certificate is mismatched or missing?
If applications are not being displayed on a compliant device, you can check the Event Viewer on the StoreFront server for errors.
If you see a certificate not found error, you can capture the SmartAccess tags being sent from the XenMobile Server using a network trace, and verify that the thumbprints match between the X-Citrix-SmartAccess-Data header and the Thumbprint of the installed certificate on StoreFront.
If the certificate thumbprint does not match, then, you need to re-export the SAML certificate from XenMobile Server to StoreFront. Note: You can also create a new SAML certificate on XenMobile Server and export it.
Additional Resources
CTX220875 – XenMobile 10.5: SmartAccess to HDX – Introduction and Requirements
CTX220877 – XenMobile 10.5: SmartAccess to HDX – How to configure SmartAccess Policy on XenApp and XenDesktop
CTX220964 – XenMobile 10.5: SmartAccess to HDX – How to Configure Compliance Automated Actions in XenMobile
CTX220876 – XenMobile 10.5: SmartAccess to HDX – How to Configure the XenMobile SAML Certificate to the StoreFront Store