Citrix Workspace App on Linux (Working from Home)

For those lucky people who didn’t lost their job and are now working from home following the Covid-19/Coronavirus outbreak a lot of us had to start working from home. A lot of large company are using Citrix XenApp as virtual environments for their employees. That is my case and I know we have let many of our employees down when they are telling us they are using a Linux client at home. My job is to provide support to all our employees but as we are not allowed to touch personal machines we simply advise them to install Citrix Workspace App and use it to connect remotely. Simple and easy, but those very few Linux users found themselves stuck quickly if they are not tech enthusiasts, and simply run a Linux system for their ageing machine or whatever reasons they choose to go that way.

So let’s get started with Citrix Workspace App installation, configuration and connection. These steps have been repeated by myself on Linux Mint (but this should be applicable to any Debian based distribution)

Browse to Citrix.com, go to download then choose Citrix Workspace App for Linux page.

I will assume you already have Linux Mint setup and ready to use. Download Full Package (Self-Service Support) .DEB, my machine runs with 64 bits system so I downloaded the x86_64 version. If you are running 32 bits system, download the x86 version.

When you click “Download” it will ask if you want to open (after the download completed) with GDebi Package Installer, that the default option, click “OK“.

The Package Manager will open, click “Install Package” and type in your password to start installing.

When the installation is complete, open the desktop menu, search Citrix and open Citrix Workspace. You will be prompted to accept the End User License Agreement (EULA). Once those are accepted you will be asked for the details provided by your IT Department.

If you receive an error stating your account cannot be added because a secured connection (SSL) cannot be established, we need to run a couple commands below to allow Workspace App to use certificates RootCA already trusted by the web browser. Close Citrix Workspace App then open a terminal and type in the following commands.

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
sudo /opt/Citrix/ICAClient/util/ctx_rehash

The above commands are badly explained in Citrix KBA CTX231524

Open Citrix Workspace App again, provide the information from your IT department to login remotely and connect.

If you have keyboard mapping issues, when connecting to your remote workstation then you need to change some Citrix Workspace App settings, the problem the GUI doesn’t allow to perform these changes. Some information can be found on Citrix blog based on this we will edit “wfclient.ini

nano ~/.ICAClient/wfclient.ini

In the section “WFClient” search for “KeyboardLayout = (User Profile)“, it should be the 2nd line of the section. Replace it with the language of your choice as per Citrix documentation. Scroll down in the document until “Appendix A. Keyboard Name in File” and look for the name in the column “Keyboard Name in Configure File” get the name from this column and replace “(User Profile)” on the line by the name of the language you wish to use. In the example below it is “British”

[WFClient]
Version = 2
KeyboardLayout = British
; Rest of the default configuration below...

At this stage everything should be working normally… but I noticed on my Linux Mint greeter (login) screen there is a new account visible “citrixlog” that showed up. Let’s correct this as well as this account is an application user and we will never use it directly. We need to hide it from the greeter.

Let’s create a new file to hide the account from the greeter

sudo nano /var/lib/AccountsService/users/citrixlog

And add the followind to this new file:

[User]
SystemAccount=true

Then restart the service “AccountsService

sudo systemctl restart accounts-daemon.service

Now this account isn’t visible on the greeter screen.

How To: Setup SUDO and add an existing user to SUDOERS

This steps are performed on fresh Debian 10 installation, they can be followed on any Debian based distributions.

Login with an existing account, here it will be the user ‘arnaud‘, once logged in connect as root:

su

Type in the root password then, we will start by updating our repository sources and install sudo package:

apt-get update
apt-get install sudo

While we are connected as root, we will had one of our existing users to sudo group to grant use of sudo special command. In this example the existing user is ‘arnaud’.

/sbin/usermod -aG sudo arnaud

This command will not return anything if both the group and the username exists.

We can now exit from our root connection.

exit

The user ‘arnaud‘ is now member for the ‘sudo‘ group but we must logoff from that account and login back for this last change to apply.

logout

We can login back immediately and check that we have been granted ‘sudo’ access.

groups

This should display the list of groups the account is member of, including ‘sudo’ group.

Additional step, only if you can access your server locally (even if you need to connect a screen and keyboard to it later): Disable SSH root access explicitly by editing the file “/etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Find the line “#PermitRootLogin yes“, remove the symbol “#” to un-comment the line and replace the final “yes” by “no“. The line should be now: “PermitRootLogin no

Then restart SSH service to apply the new configuration.

sudo service sshd restart

Now what about the existing ‘root’ user ? Where a lot of people recommend to disable it completely or other recommend to lock it. I will suggest you to simply change the password for a really strong password. Strong enough to be annoying to type to reduce the like of using it just because you can. Force yourself and any other users to prefix their commands with ‘sudo’ when superuser permissions are required. Why ? Because one day, something, for some reasons, will go bad and that day you will realise that only the root account can fix the problem and if you are impaired of the direct root access then you will beat yourself up for disabling it. My root passwords are all 32 characters long mixed cases, digits, special characters. The only thing that prevents me to use them: complexity. I use a password manager to store them just for the day I will need them.

More resources on SUDO and its possibility will come soon.