Manage Citrix Endpoint Analysis client for Device Posture service

Citrix Device Posture service is a cloud-based solution that helps admins to enforce certain requirements that the end devices must meet to gain access to Citrix DaaS (virtual apps and desktops) or Citrix Secure Private Access resources (SaaS, Web apps, TCP, and UDP apps).

To run device posture scans on an end device, you must install the Citrix EndPoint Analysis (EPA) client, which is a lightweight application, on that device. Device Posture service always runs with the latest version of the EPA client released by Citrix.

Installation of the EPA client

During runtime, the Device Posture service prompts the end user to download and install the EPA client during run-time. For details, see End-user flow. Usually, an EPA client does not require local admin rights to download and install on an endpoint. However, to run device certificate check scans on an end device, the EPA client must be installed with administrator access. For details about installing an EPA client with administrator access, see Install device certificate on the end device.

Upgrade of the EPA client for Windows

When a new version of the EPA client is released, the EPA clients for Windows are upgraded by default after the first installation. Auto-upgrade ensures that the end-user devices are always running on the latest version of the EPA client that is compatible with the Device Posture service. For the auto-upgrade, the EPA client must have been installed with administrator access.

Distribution of the EPA client

EPA clients can be distributed using Global App Configuration service (GACS) or EPA integrated with Citrix Workspace app installer, or using software deployment tools.

  • EPA client installer integrated with Citrix Workspace app: The EPA client installer is integrated with Citrix Workspace app 2402 LTSR for Windows. This integration eliminates the need for the end users to install EPA client separately after installing Citrix Workspace app.

    To install the EPA client as part of Citrix Workspace app, use the command line option InstallEPAClient. For example, ./CitrixworkspaceApp.exe InstallEPAClient.

    Note:

    • EPA client installation as part of Citrix Workspace app is disabled, by default. It must be explicitly enabled by using the command line option InstallEPAClient.
    • If an end device already has an EPA client installed and the end user installs Citrix Workspace app, the existing EPA client is upgraded.
    • If an end user uninstalls Citrix Workspace app, then the integrated EPA client is also removed from the device, by default. However, if the EPA client was not installed as part of the integrated Citrix Workspace app installation, then the existing EPA client is retained in the device.
    • The EPA client installer integrated with Citrix Workspace app can also be used with NetScaler. For details, see Manage EPA client when used with NetScaler and Device Posture.
  • Distribute the client using GACS: GACS is a Citrix provided solution to manage the distribution of client-side agents (plug-ins). The Auto update service available in GACS ensures that the end devices are on the latest EPA versions without end user intervention. For more information on GACS, see How to use the Global App Configuration service.

Note:

  • GACS is supported on Windows devices only for distributing the EPA client.
  • To manage an EPA client through GACS, install Citrix Workspace Application (CWA) on the end devices.
  • If CWA is installed with administrator privileges on an end user device, then GACS installs the EPA client with the same administrator privileges.
  • If CWA is installed with user privileges on an end user device, then GACS installs the EPA client with the same user privileges.

Distribute the client using Software deployment tools: The latest EPA client can be distributed by admins through software deployment tools like Microsoft SCCM.

Manage EPA client when used with NetScaler and Device Posture

The EPA client can be used together with NetScaler and Device Posture in the following deployments:

  • NetScaler based Adaptive Authentication with EPA
  • NetScaler based on-prem gateway with EPA

The Device Posture service pushes the latest version of the EPA client to the end devices. However, on NetScaler, administrators can configure the following version control for the EPA scans on gateway virtual servers:

  • Always: The EPA client on the end device and NetScaler must be on the same version.
  • Essential: The EPA client version on the end device must be within the range configured on NetScaler.
  • Never: The end device can have any version of the EPA client.

For more information, see Plug-in behaviors.

Considerations when EPA client is used with NetScaler and Device Posture

When an EPA client is used together with Device Posture Service and NetScaler, there might be scenarios where the end device is running the latest EPA client version whereas NetScaler is on a different version of the EPA client. This might result in a mismatch of the EPA client version on NetScaler and the end device. As a result, NetScaler might prompt the end user to install the EPA client version which is present on NetScaler. To avoid this conflict, we recommend the following configuration changes:

  • If you have configured EPA with Adaptive Authentication or on-premises authentication or gateway virtual server, it is recommended that you disable version control of the EPA client on NetScaler. This is done to ensure that the GACS or Device Posture service does not push the latest version of the EPA client to the end devices.
  • The EPA version control can be set to Never by using the CLI or the GUI. These configuration changes are supported on NetScaler 13.x and later versions.

Sample CLI commands:

add rewrite action <rewrite_action_name> insert_http_header Plugin-Upgrade "\"epa_win:Never;epa_mac:Always;epa_linux:Always;vpn_win:Never;vpn_mac:Always;vpn_linux:Always;\""

add rewrite policy <rewrite_action_policy> "HTTP.REQ.URL.CONTAINS(\"pluginlist.xml\")" <rewrite_action_name>

bind authentication vserver <Authentication_Vserver_Name> -policy <rewrite_action_policy> -priority 10 -type RESPONSE
<!--NeedCopy-->
Manage Citrix Endpoint Analysis client for Device Posture service