- Intune Company Portal Mac Download App
- Intune Company Portal Mac Download Software
- Intune Company Portal Mac Download
This section is for scripts that install or configure applications on the Mac. There are many reasons to deploy apps via shell script rather than via the macOS mdmclient. Our preferred method of app deployment is via the Mac App Store VPP, but the Intune Scripting agent provides an almost infinte level of possibilities where the apps you need. This section is for scripts that install or configure applications on the Mac. There are many reasons to deploy apps via shell script rather than via the macOS mdmclient. Our preferred method of app deployment is via the Mac App Store VPP, but the Intune Scripting agent provides an almost infinte level of possibilities where the apps you need. You can use Intune to query the status of disk encryption (File Vault II) on enrolled Mac devices and ensure that company data is encrypted at rest. Reporting and Auditing Intune helps you keep track of all your Mac devices by providing comprehensive hardware and software inventory reporting capabilities. You can go to the Reports workspace to.
-->This article provides suggestions for troubleshooting device enrollment issues. If this information doesn't solve your problem, see How to get support in Microsoft Endpoint Manager to find more ways to get help.
Initial troubleshooting steps
Before you begin troubleshooting, check to make sure that you've configured Intune properly to enable enrollment. You can read about those configuration requirements in:
- Set up Android device management - No additional steps required
You can also make sure that the time and date on the user's device are set correctly:
- Restart the device.
- Make sure that the time and date are set close to GMT standards (+ or - 12 hours) for the end user's time zone.
- Uninstall and reinstall the Intune company portal (if applicable).
Your managed device users can collect enrollment and diagnostic logs for you to review. User instructions for collecting logs are provided in:
General enrollment issues
These issues may occur on all device platforms.
Device cap reached
Issue: A user receives an error during enrollment (like Company Portal Temporarily Unavailable).
Resolution:
Check number of devices enrolled and allowed
Check to see that the user isn't assigned more than the maximum number of devices by following these steps:
In the Microsoft Endpoint Manager admin center, choose Devices > Enrollment restrictions > Device limit restrictions. Note the value in the Device limit column.
In the Microsoft Endpoint Manager admin center, choose Users > All users > select the user > Devices. Note the number of devices.
If the user's number of enrolled devices already equals their device limit restriction, they can't enroll anymore until:
- Existing devices are removed, or
- You increase the device limit by setting device restrictions.
To avoid hitting device caps, be sure to remove stale device records.
Note
You can avoid the device enrollment cap by using Device Enrollment Manager account, as described in Enroll corporate-owned devices with the Device Enrollment Manager in Microsoft Intune.
A user account that is added to Device Enrollment Managers account will not be able to complete enrollment when Conditional Access policy is enforced for that specific user login.
Company Portal Temporarily Unavailable
Issue: Users receive a Company Portal Temporarily Unavailable error on their device.
Resolution:
Remove the Intune Company Portal app from the device.
On the device, open the browser, browse to https://portal.manage.microsoft.com, and try a user login.
If the user fails to sign in, they should try another network.
If that fails, validate that the user's credentials have synced correctly with Azure Active Directory.
If the user successfully logs in, an iOS/iPadOS device will prompt you to install the Intune Company Portal app and enroll. On an Android device, you'll need to manually install the Intune Company Portal app, after which you can retry enrolling.
MDM authority not defined
Issue: A user receives an MDM authority not defined error.
Resolution:
Verify that the MDM Authority has been set appropriately.
Verify that the user's credentials have synced correctly with Azure Active Directory. You can verify that the user's UPN matches the Active Directory information in the Microsoft 365 admin center.If the UPN doesn't match the Active Directory information:
Turn off DirSync on the local server.
Delete the mismatched user from the Intune Account Portal user list.
Wait about one hour to allow the Azure service to remove the incorrect data.
Turn on DirSync again and check if the user is now synced properly.
Unable to create policy or enroll devices if the company name contains special characters
Issue: You can't create policy or enroll devices.
Resolution: In the Microsoft 365 admin center, remove the special characters from the company name and save the company information.
Unable to sign in or enroll devices when you have multiple verified domains
Issue: This problem may occur when you add a second verified domain to your AD FS. Users with the user principal name (UPN) suffix of the second domain may not be able to log into the portals or enroll devices.
Resolution: Microsoft 365 customers are required to deploy a separate instance of the AD FS 2.0 Federation Service for each suffix if they:
- use single sign-on (SSO) through AD FS 2.0, and
- have multiple top-level domains for users' UPN suffixes within their organization (for example, @contoso.com or @fabrikam.com).
A rollup for AD FS 2.0 works in conjunction with the SupportMultipleDomain switch to enable the AD FS server to support this scenario without requiring additional AD FS 2.0 servers. For more information, see this blog.
Android issues
Android enrollment errors
The following table lists errors that end users might see while enrolling Android devices in Intune.
| Error message | Issue | Resolution |
|---|---|---|
| IT admin needs to assign license for access Your IT admin hasn't given you access to use this app. Get help from your IT admin or try again later. | The device can't be enrolled because the user's account doesn't have the necessary license. | Before users can enroll their devices, they must have been assigned the necessary license. This message means that they have the wrong license type for the mobile device management authority. For example, they'll see this error if both of the following are true:
|
| IT admin needs to set MDM authority Looks like your IT admin hasn't set an MDM authority. Get help from your IT admin or try again later. | The mobile device management authority hasn't been defined. | The mobile device management authority hasn't been set in Intune. See information about how to set the mobile device management authority. |
Devices fail to check in with the Intune service and display as Unhealthy in the Intune admin console
Issue: Some Samsung devices that are running Android versions 4.4.x and 5.x might stop checking in with the Intune service. If devices don't check in:
- They can't receive policy, apps, and remote commands from the Intune service.
- They show a Management State of Unhealthy in the administrator console.
- Users who are protected by Conditional Access policies might lose access to corporate resources.
Samsung Smart Manager software, which ships on certain Samsung devices, can deactivate the Intune Company Portal and its components. When the Company Portal is in a deactivated state, it can't run in the background and can't contact the Intune service.
Resolution 1:
Tell your users to start the Company Portal app manually. Once the app restarts, the device checks in with the Intune service.
Important
Opening the Company Portal app manually is a temporary solution, because Samsung Smart Manager may deactivate the Company Portal app again.
Resolution 2:
Tell your users to try upgrading to Android 6.0. The deactivation issue doesn't occur on Android 6.0 devices. To check if an update is available, go to Settings > About device > Download updates manually > follow the prompts.
Resolution 3:
If Resolution 2 doesn't work, have your users follow these steps to make Smart Manager exclude the Company Portal app:
Launch the Smart Manager app on the device.
Choose the Battery tile.
Under App power saving or App optimization, select Detail.
Choose Company Portal from the list of apps.
Choose Turned off.
Under App power saving or App optimization, confirm that Company Portal is turned off.
Profile installation failed
Issue: A user receives a Profile installation failed error on an Android device.
Resolution:
Confirm that the user is assigned an appropriate license for the version of the Intune service that you're using.
Confirm that the device isn't already enrolled with another MDM provider.
Confirm that the device doesn't already have a management profile installed.
Confirm that Chrome for Android is the default browser and that cookies are enabled.
Android certificate issues
Issue: Users receive the following message on their device:You can't sign in because your device is missing a required certificate.
Resolution 1:
The user might be able to retrieve the missing certificate by following the instructions in Your device is missing a required certificate. If the error persists, try Resolution 2.
Resolution 2:
After entering their corporate credentials and getting redirected for federated login, users might still see the missing certificate error. In this case, the error may mean that an intermediate certificate is missing from your Active Directory Federation Services (AD FS) server
The certificate error occurs because Android devices require intermediate certificates to be included in an SSL Server hello. Currently, a default AD FS server or WAP - AD FS Proxy server installation sends only the AD FS service SSL certificate in the SSL server hello response to an SSL Client hello.
To fix the issue, import the certificates into the Computers Personal Certificates on the AD FS server or proxies as follows:
- On the AD FS and proxy servers, right-click Start > Run > certlm.msc to launch the Local Machine Certificate Management Console.
- Expand Personal and choose Certificates.
- Find the certificate for your AD FS service communication (a publicly signed certificate), and double-click to view its properties.
- Choose the Certification Path tab to see the certificate's parent certificate/s.
- On each parent certificate, choose View Certificate.
- Choose Details > Copy to file….
- Follow the wizard prompts to export or save the public key of the parent certificate to the file location of your choice.
- Right-click Certificates > All Tasks > Import.
- Follow the wizard prompts to import the parent certificate(s) to Local ComputerPersonalCertificates.
- Restart the AD FS servers.
- Repeat the above steps on all of your AD FS and proxy servers.
To verify a proper certificate installation, you can use the diagnostics tool available on https://www.digicert.com/help/. In the Server Address box, enter your AD FS server's FQDN, such as sts.contoso.com, and then click Check Server.
To validate that the certificate installed correctly:
The follow steps describe just one of many methods and tools that you can use to validate that the certificate installed correctly.
- Go to the free Digicert tool.
- Enter your AD FS server's fully qualified domain name (for example, sts.contoso.com) and select CHECK SERVER.
If the Server certificate is installed correctly, you see all check marks in the results. If the problem above exists, you see a red X in the Certificate Name Matches and the SSL Certificate is correctly Installed sections of the report.
Resolution 3:
The users are unable to authenticate in Company Portal. But they can authenticate in Microsoft Authenticator and web browsers.
This issue occurs if your AD FS server uses a user certificate rather than a certificate issued by a public certificate authority (CA).
There are two certificate stores in Android devices:
- The user certificate store
- The system certificate store
Staring in Android 7.0, apps ignore user certificates by default, unless the apps explicitly opt in. For more information, see Changes to Trusted Certificate Authorities in Android Nougat.
To fix this issue, use a certificate that chains to a publicly trusted root CA in your AD FS server. A list of public CAs on Android can be found at https://android.googlesource.com/platform/system/ca-certificates/+/master/files/.
iOS/iPadOS issues
iOS/iPadOS enrollment errors
The following table lists errors that end users might see while enrolling iOS/iPadOS devices in Intune.
| Error message | Issue | Resolution |
|---|---|---|
| NoEnrollmentPolicy | No enrollment policy found | Check that all enrollment prerequisites, like the Apple Push Notification Service (APNs) certificate, have been set up and that iOS/iPadOS as a platform is enabled. For instructions, see Set up iOS/iPadOS and Mac device management. |
| DeviceCapReached | Too many mobile devices are enrolled already. | The user must remove one of their currently enrolled mobile devices from the Company Portal before enrolling another. See the instructions for the type of device you're using: Android, iOS/iPadOS, Windows. |
| APNSCertificateNotValid | There's a problem with the certificate that lets the mobile device communicate with your company's network. | The Apple Push Notification Service (APNs) provides a channel to contact enrolled iOS/iPadOS devices. Enrollment will fail and this message will appear if:
|
| AccountNotOnboarded | There's a problem with the certificate that lets the mobile device communicate with your company's network. | The Apple Push Notification Service (APNs) provides a channel to contact enrolled iOS/iPadOS devices. Enrollment will fail and this message will appear if:
|
| DeviceTypeNotSupported | The user might have tried to enroll using a non-iOS device. The mobile device type that you're trying to enroll isn't supported. Confirm that device is running iOS/iPadOS version 8.0 or later. | Make sure that your user's device is running iOS/iPadOS version 8.0 or later. |
| UserLicenseTypeInvalid | The device can't be enrolled because the user's account isn't yet a member of a required user group. | Before users can enroll their devices, they must be members of the right user group. This message means that they have the wrong license type for the mobile device management authority. For example, they'll see this error if both of the following are true:
Review Set up iOS/iPadOS and Mac management with Microsoft Intune and information about how to set up users in Sync Active Directory and add users to Intune and organizing users and devices. |
| MdmAuthorityNotDefined | The mobile device management authority hasn't been defined. | The mobile device management authority hasn't been set in Intune. Review item #1 in the Step 6: Enroll mobile devices and install an app section in Get started with a 30-day trial of Microsoft Intune. |
Devices are inactive or the admin console can't communicate with them
Issue: iOS/iPadOS devices aren't checking in with the Intune service. Devices must check in periodically with the service to maintain access to protected corporate resources. If devices don't check in:
- They can't receive policy, apps, and remote commands from the Intune service.
- They show a Management State of Unhealthy in the administrator console.
- Users who are protected by Conditional Access policies might lose access to corporate resources.
Resolution: Share the following resolutions with your end users to help them regain access to corporate resources.
When users start the iOS/iPadOS Company Portal app, it can tell if their device has lost contact with Intune. If it detects that there's no contact, it automatically tries to sync with Intune to reconnect (users will see the Trying to sync… message).
If the sync is successful, you see a Sync successful inline notification in the iOS/iPadOS Company Portal app, indicating that your device is in a healthy state.
If the sync is unsuccessful, users see an Unable to sync inline notification in the iOS/iPadOS Company Portal app.
To fix the issue, users must select the Set up button, which is to the right of the Unable to sync notification. The Set up button takes users to the Company Access Setup flow screen, where they can follow the prompts to enroll their device.
Once enrolled, the devices return to a healthy state and regain access to company resources.
Verify WS-Trust 1.3 is enabled
Issue Automated Device Enrollment (ADE) iOS/iPadOS devices can't be enrolled
Enrolling ADE devices with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user tokens. Active Directory enables this endpoint by default. To get a list of enabled endpoints, use the Get-AdfsEndpoint PowerShell cmdlet and looking for the trust/13/UsernameMixed endpoint. For example:
Intune Company Portal Mac Download App
For more information, see Get-AdfsEndpoint documentation.
For more information, see Best practices for securing Active Directory Federation Services. For help with determining if WS-Trust 1.3 Username/Mixed is enabled in your identity federation provider:
- contact Microsoft Support if you use AD FS
- contact your third-party identity vendor.
Profile installation failed
Issue: A user receives a Profile installation failed error on an iOS/iPadOS device.
Troubleshooting steps for failed profile installation
Confirm that the user is assigned an appropriate license for the version of the Intune service that you're using.
Confirm that the device isn't already enrolled with another MDM provider.
Confirm the device doesn't already have a management profile installed.
Navigate to https://portal.manage.microsoft.com and try to install the profile when prompted.
Confirm that Safari for iOS/iPadOS is the default browser and that cookies are enabled.
User's iOS/iPadOS device is stuck on an enrollment screen for more than 10 minutes
Issue: An enrolling device may get stuck in either of two screens:
- Awaiting final configuration from 'Microsoft'
- Guided Access app unavailable. Please contact your administrator.
This issue can happen if:
- there's a temporary outage with Apple services, or
- iOS/iPadOS enrollment is set to use VPP tokens as shown in the table but there's something wrong with the VPP token.
| Enrollment settings | Value |
|---|---|
| Platform | iOS/iPadOS |
| User Affinity | Enroll with User Affinity |
| Authenticate with Company Portal instead of Apple Setup Assistant | Yes |
| Install Company Portal with VPP | Use token: token address |
| Run Company Portal in Single App Mode until authentication | Yes |
Resolution: To fix the problem, you must:
- Determine if there's something wrong with the VPP token and fix it.
- Identify which devices are blocked.
- Wipe the affected devices.
- Tell the user to restart the enrollment process.
Determine if there's something wrong with the VPP token
- In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS enrollment > Enrollment program tokens > token name > Profiles > profile name > Manage > Properties.
- Review the properties to see if any errors similar to the following appear:
- This token has expired.
- This token is out of Company Portal licenses.
- This token is being used by another service.
- This token is being used by another tenant.
- This token was deleted.
- Fix the issues for the token.
Identify which devices are blocked by the VPP token
- In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOSk > iOS enrollment > Enrollment program tokens > token name > Devices.
- Filter the Profile status column by Blocked.
- Make a note of the serial numbers for all the devices that are Blocked.
Remotely wipe the blocked devices
After you've fixed the issues with the VPP token, you must wipe the devices that are blocked.
- In the Microsoft Endpoint Manager admin center, choose Devices > All devices > Columns > Serial number > Apply.
- For each blocked device, choose it in the All devices list and then choose Wipe > Yes.
Tell the users to restart the enrollment process
After you've wiped the blocked devices, you can tell the users to restart the enrollment process.
macOS issues
macOS enrollment errors
Error message 1:It looks like you're using a virtual machine. Make sure you've fully configured your virtual machine, including serial number and hardware model. If this isn't a virtual machine, please contact support.
Error message 2:We're having trouble getting your device managed. This problem could be caused if you're using a virtual machine, have a restricted serial number, or if this device is already assigned to someone else. Learn how to resolve these problems or contact your company support.
Issue: This message could be a result of any of the following reasons:
- A macOS virtual machine (VM) isn't configured correctly
- You've enabled device restrictions that require the device to be corporate-owned or have a registered device serial number in Intune
- The device has already been enrolled and is still assigned to someone else in Intune
Resolution: First, check with your user to determine which of the issues affects their device. Then complete the most relevant of the following solutions:
If the user is enrolling a VM for testing, make sure it's been fully configured so that Intune can recognize its serial number and hardware model. Learn more about how to set up VMs in Intune.
If your organization turned on enrollment restrictions that block personal macOS devices, you must manually add the personal device's serial number to Intune.
If the device is still assigned to another user in Intune, its former owner did not use the Company Portal app to remove or reset it. To clean up the stale device record from Intune:
- In the Microsoft Endpoint Manager admin center, sign in with your administrative credentials.
- Choose Devices > All devices.
- Find the device with the enrollment problem. Search by device name or MAC/HW Address to narrow your results.
- Select the device > Delete. Delete all other entries associated with the device.
PC Issues
| Error message | Issue | Resolution |
|---|---|---|
| IT admin needs to assign license for access Your IT admin hasn't given you access to use this app. Get help from your IT admin or try again later. | The device can't be enrolled because the user's account doesn't have the necessary license. | Before users can enroll their devices, they must have been assigned the necessary license. This message means that they have the wrong license type for the mobile device management authority. For example, they'll see this error if both of the following are true:
|
The machine is already enrolled - Error hr 0x8007064c
Issue: Enrollment fails with the error The machine is already enrolled. The enrollment log shows error hr 0x8007064c.
This failure may occur because the computer:
- was previously enrolled, or
- has the cloned image of a computer that was already enrolled.The account certificate of the previous account is still present on the computer.
Resolution:
From the Start menu, type Run -> MMC.
Choose File > Add/ Remove Snap-ins.
Double-click Certificates, choose Computer account > Next, and select Local Computer.
Double-click Certificates (Local computer) and choose Personal/ Certificates.
Look for the Intune cert issued by Sc_Online_Issuing, and delete it, if present.
If the following registry key exists, delete it: HKEY_LOCAL_MACHINESOFTWAREMicrosoftOnlineManagement regkey and all sub keys.
Try to re-enroll.
If the PC still can't enroll, look for and delete this key, if it exists: KEY_CLASSES_ROOTInstallerProducts6985F0077D3EEB44AB6849B5D7913E95.
Try to re-enroll.
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.For more information about how to back up and restore the registry, read How to back up and restore the registry in Windows
General enrollment Error codes
| Error code | Possible problem | Suggested resolution |
|---|---|---|
| 0x80CF0437 | The clock on the client computer isn't set to the correct time. | Make sure that the clock and the time zone on the client computer are set to the correct time and time zone. |
| 0x80240438, 0x80CF0438, 0x80CF402C | can't connect to the Intune service. Check the client proxy settings. | Verify that Intune supports the proxy configuration on the client computer. Verify that the client computer has Internet access. |
| 0x80240438, 0x80CF0438 | Proxy settings in Internet Explorer and Local System aren't configured. | can't connect to the Intune service. Check the client proxy settings. Verify that Intune supports the proxy configuration on the client computer. Verify that the client computer has Internet access. |
| 0x80043001, 0x80CF3001, 0x80043004, 0x80CF3004 | Enrollment package is out of date. | Download and install the current client software package from the Administration workspace. |
| 0x80043002, 0x80CF3002 | Account is in maintenance mode. | You can't enroll new client computers when the account is in maintenance mode. To view your account settings, sign in to your account. |
| 0x80043003, 0x80CF3003 | Account is deleted. | Verify that your account and subscription to Intune is still active. To view your account settings, sign in to your account. |
| 0x80043005, 0x80CF3005 | The client computer has been retired. | Wait a few hours, remove any older versions of the client software from the computer, and then retry the client software installation. |
| 0x80043006, 0x80CF3006 | The maximum number of seats allowed for the account has been reached. | Your organization must buy additional seats before you can enroll more client computers in the service. |
| 0x80043007, 0x80CF3007 | Couldn't find the certificate file in the same folder as the installer program. | Extract all files before you start the installation. Do not rename or move any of the extracted files: all files must exist in the same folder or the installation will fail. |
| 0x8024D015, 0x00240005, 0x80070BC2, 0x80070BC9, 0x80CFD015 | The software can't be installed because a restart of the client computer is pending. | Restart the computer and then retry the client software installation. |
| 0x80070032 | One or more prerequisites for installing the client software weren't found on the client computer. | Make sure that all required updates are installed on the client computer and then retry the client software installation. |
| 0x80043008, 0x80CF3008 | Failed to start the Microsoft Online Management Updates service. | Contact Microsoft Support as described in How to get support in Microsoft Endpoint Manager. |
| 0x80043009, 0x80CF3009 | The client computer is already enrolled into the service. | You must retire the client computer before you can re-enroll it in the service. |
| 0x8004300B, 0x80CF300B | The client software installation package can't run because the version of Windows that is running on the client isn't supported. | Intune doesn't support the version of Windows that is running on the client computer. |
| 0xAB2 | The Windows Installer couldn't access VBScript run time for a custom action. | This error is caused by a custom action that is based on Dynamic-Link Libraries (DLLs). |
| 0x80cf0440 | The connection to the service endpoint terminated. | Trial or paid account is suspended. Create a new trial or paid account and re-enroll. |
Next steps
If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support in Microsoft Endpoint Manager.
Citrix Workspace app is here to replace Citrix Receiver with a new UI and capabilities (primarily for Citrix Cloud customers). Here’s how to deploy it across various supported platforms in a modern management capacity with Microsoft Intune.
Windows 10
There are multiple deployment options for Workspace app on Windows via Microsoft Intune:
- Workspace app from the Microsoft Store. This version has some feature limitations but requires the least amount of effort to deploy
- The full Workspace app that provides the best compatibility, but doesn’t ship as a Windows Installer file and therefore requires custom solutions to deploy
Microsoft Store
Adding the Workspace app from the Microsoft Store is well documented and should take only 5 minutes to get the app from the Store, synchronise to Intune and assign the app to your users. How’s that for done and dusted? - I’m sure you’ve got better things to do than package and maintain applications.
Citrix Workspace in the Microsoft Store
The Workspace app can be assigned as available for end-users to install via the Intune Company Portal or required for automatic deployment. Once deployed, the Store will take care of updates, thus there is no further action required by the administrator.
Citrix Workspace app in the Microsoft Intune Company Portal
If you have already deployed Citrix Receiver from the Microsoft Store via Intune, it should be automatically updated to Citrix Workspace. One they key feature limitations of the Microsoft Store version is pass-through authentication, so you might need to consider alternative deployment options
PowerShell
The Workspace app installer is a single executable just it has been with Citrix Receiver. This presents a challenge to deploy Workspace app as a line-of-business application with Intune which requires Win32 applications to be packaged as a single Windows Installer file. PowerShell scripts are a simple alternative, but deploying applications via PowerShell has two key considerations:
- PowerShell scripts can’t be applied to computer groups
- PowerShell scripts are executed on devices only when an Azure Active Directory user is signed in to the device
Intune Company Portal Mac Download Software
Deploying this way also means that the Workspace app will be deployed regardless of user choice and of course does not support deployment via the Intune Company Portal.
Like we’ve done previously with Citrix Receiver, the Workspace app can be deployed to Windows 10 machines via Intune with PowerShell without requiring custom packaging. We need a consistent URL that will always download the latest version of Workspace app and a command line to perform a silent installation. Your command line options might differ depending on your target environment, but the example script below will download and install the Workspace app.
Once deployed, devices must then rely on auto-updates to ensure that Workspace app is kept up-to-date.
Re-package Citrix Workspace app for Windows Installer
With the right tools and a bit of effort, Citrix Workspace app can be re-packaged into a single Windows Installer file. Once you’ve packaged the app with this method you’ll need to maintain the package and update it regularly. As with the PowerShell method though, auto-updates will keep Workspace app up-to-date once deployed.
Is this approach right for you? This requires maintaining and deploying a custom package and is dependent on how the environment is managed and available skillsets. Only you can answer that for your projects or environments. A custom package isn’t ideal and I recommend using the Microsoft Store version as the default approach instead.
Citrix Workspace app extracted Windows Installer files
HDX RealTime Media Engine
The Citrix HDX RealTime Media Engine - required for optimising Skype for Business under XenApp and XenDesktop, does come as a single Windows Installer file. This makes it easy then to deploy the engine to Windows PCs as a Required line-of-business application without modification or custom packaging. This will ensure that no user interaction is required to install the engine since most users are unlikely to know what it does anyway.
Bonus: Citrix Workspace app for Chrome
If you have Google Chrome deployed in your environment and you’d like to deploy the Citrix Workspace app for Chrome, this can be achieved with a PowerShell script that will either deploy it as a preference that users must approve or as a policy that will be automatically pushed out and users will be unable to remove from Chrome.
Google provides detailed documentation on deploying Chrome extensions on Windows.
Here’s a basic script to deploy Workspace app for Chrome via PowerShell that uses the app’s Chrome Web Store identifier (haiffjcadagjlijoggckpgfnoeiflnem) to tell Chrome to install the app on next launch. This shows both approaches - deploy as a preference or enforced.
Add the script to the Intune portal and assign to a user group to deploy. Ensure the script runs in the system context because it needs to write to HKLM.
macOS
The Citrix Workspace app can be deployed as a line-of-business application with Microsoft Intune. The Workspace app download comes as an Installer package (inside an Apple Disk Image) that can be converted into suitable file format with the Microsoft Intune App Wrapping Tool, ready to deploy with Intune.
The Citrix Workspace app disk image
Convert the Installer
Instructions for converting a .pkg file to a .intunemac file are outlined in the documentation, and the basic process I have followed to convert the Citrix Workspace app installer file is:
- Download the Intune App Wrapping Tool for Mac executable -
IntuneAppUtil- to a local folder. I’ve downloaded it to~/bin. - Mark the file as executable. In my example, I’ve done this with:
- Optionally copy the
Install Citrix Workspace.pkgfile to a local folder. You should also be able to run the converter against the copy stored in the disk image. In my example, I’ve copied the installer to~/Projects/Intune-Apps. Rename the installer to remove spaces, so rename the file toInstallCitrixWorkspace.pkg.
Note: Removing the spaces from the installer name before converting is important, otherwise when installing the application, macOS will report the following error and the installing will fail to download and install:
- Convert the .pkg file into the required .intunemac format with a command similar to the following example - note that the
-oswitch should include a directory path only.
If successful the command line will look similar to the following screenshot:
Converting the Citrix Workspace app with IntuneAppUtil
The Workspace app installer will have been converted into a .intunemac format ready to import into the Intune portal for distributing to users.
The converted Citrix Workspace app
Distribute with Intune
With the prepared package, create a new line-of-business app in the Intune portal, select the .intunemac file and enter application information as follows:
- Name - Citrix Workspace
- Description - copy and paste the description from Workspace app on the Microsoft Store
- Publisher - Citrix
- Ignore app version - Yes
- Category - Business or Productivity
- Information URL - https://docs.citrix.com/en-us/citrix-workspace-app-for-mac.html
- Privacy URL - https://www.citrix.com.au/about/legal.html
- Logo - download the Workspace app icon in PNG format here
Once the details have been added, click OK to create the application. I initially had issues with uploading the application on Chrome on macOS. I was successful on Internet Explorer.
Adding the Citrix Workspace app as a line-of-business app in Microsoft Intune
Once the application has been created and assigned to users, it will be available for install in the Intune Company Portal. The application can also be set to required for automatic deployment.
Citrix Workspace available in the Intune Company Portal on macOS*
Just as on Windows, updates to the Citrix Workspace app can be managed with the inbuilt updater, post-deployment.
HDX RealTime Media Engine
The Citrix HDX RealTime Media Engine is also available as an installer package that can be converted and deployed the same way as Workspace itself. Citrix Workspace app is now a 64-bit macOS application and will, therefore, require a 64-bit version of the HDX RealTime Media Engine. Right now, a 64-bit HDX RealTime Media Engine is in tech preview that can be downloaded, packaged, uploaded as a line-of-business application and assigned.
iOS
As at the time of writing, Citrix Receiver is still available on the iOS App Store and we should see it updated to Citrix Workspace app soon. Adding an iOS application in Microsoft Intune is, fortunately, a simple process:
- Add an application and choose ‘Store app - iOS’, then search the app store
- Search for ‘Citrix’, ‘Citrix Receiver’ or ‘Citrix Workspace’
- Choose ‘Citrix Receiver’ or ‘Citrix Workspace’ depending on what is returned
- Save the change and Add the application
- Assign the application as required
Intune Company Portal Mac Download
The application will be available in the Intune Company Portal:
Citrix Workspace for iOS available in the Intune Company Portal
For existing deployments of Citrix Receiver, they should be updated to Citrix Workspace app automatically.
Android
Android Store app
At the time of writing, the Workspace app for Android is not available in the Google Play Store, but a tech preview is available for download as an APK. I would recommend deploying Citrix Receiver via the Google Play Store, but with access to an APK file, you can deploy Android applications directly to enrolled devices as a line-of-business application with Intune.
The process for deploying Citrix Workspace app or Citrix Receiver on Android follows the standard Android store app deployment steps:
- Add an application and choose ‘Store app - Android’, then search the app store
- Name - ‘Citrix Workspace’ or ‘Citrix Receiver’
- Description - copy and paste the description from Workspace app on the Microsoft Store
- Publisher - Citrix
- Appstore URL - https://play.google.com/store/apps/details?id=com.citrix.Receiver
- Minimum operating system - Android 4.4 (Kitkat)
- Category - Business or Productivity
- Privacy URL - https://www.citrix.com.au/about/legal.html
- Logo - download the Workspace app icon in PNG format here
Assign the application and it will be available to users in the Intune Company Portal.
Android Work Profile app
In the future, it’s more likely that organisations will leverage the Android enterprise capabilities, previously known as Android for Work. This also simplifies Android app deployment with a connection between Microsoft Intune and the Google Play store. Once configured, browse the Google Play store, approve a list of desired apps and these will then appear for assignment in the Mobile Apps node in Intune.
Here’s Citrix Receiver in the Google Play store.
Approving Citrix Receiver in the Google Play store*
Once approved, you must choose how new permissions will be approved:
- Keep approved when app requests new permissions - Users will be able to install the updated app. (Default)
- Revoke app approval when this app requests new permissions - App will be removed from the store until it is reapproved.
You can approve and deploy Citrix Receiver today, which should be automatically updated to Citrix Workspace app once it is released.
Wrap-up
In this article, I’ve covered the high-level steps required for deployment of the Citrix Workspace app across the various major platforms supported by Microsoft Intune. Mobile platforms, including the Microsoft Store on Windows 10, will require the least amount of administrative effort to configure, deploy and update. For most organisations supporting Windows as their primary platform, even with Microsoft Intune, the choice of deployment solution will depend on Workpace app feature requirements.