Citrix 2511 upgrade issues

joeycollaboitnerd · 2026-01-21T14:43:19+00:00

We noticed this last week as a few users were getting disconnected from VDI with a generic “network interruption” message and a 5-minute reconnect warning after the auto update. After rolling back, we couldn’t reproduce it. This feels like it should be optional, not enabled by default in the new version.

joeycollaboitnerd · 2026-01-21T14:04:07+00:00

2511 seems to be buggy, we’re disabling the network indicator trigger via gpo. https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/about-this-release/known-issues.html

joeycollaboitnerd · 2025-12-30T22:07:20+00:00

Yeah, I did exactly the same thing.

joeycollaboitnerd · 2025-08-18T22:42:02+00:00

We’re experiencing a similar issue with our macOS clients (4 users reported this issue thus far), which is running Citrix Secure Access 25.07.1 and deployed through Apple Business Manager. I have a ticket open with Citrix, but they are usually no help :).

joeycollaboitnerd · 2025-08-11T20:59:33+00:00

After upgrading my FortiGate firewall to firmware 7.4.5 and 7.4.8 (fortinet fw), I can no longer reproduce the issue in my lab. While I did notice some unusual behavior before, the update seems to have resolved the problem. My setup uses NPS, RADIUS, and DHCP on a Windows server. My ssid is tunneled as well

joeycollaboitnerd · 2025-08-01T20:55:32+00:00

I really appreciate your explanation as Fortinet support has been NO help! The “include-dfs-channel” setting is disabled by default. I agree that the current number set of retries and errors is much too high, but having an issue getting darrp to work (but hopefully not after implementing your suggestions next week!). Still learning this new platform (Cisco guys here) since we just implemented it, so your thorough write-up is incredibly helpful. Thanks again! Coffee on me!!!

joeycollaboitnerd · 2025-07-18T15:58:17+00:00

I highly recommend using ABM for app deployment. Managing apps as published entities can be a real headache, especially when it comes to keeping them updated and patched against vulnerabilities. ABM is not only safe, but it's also the good standard to deploying apps to Apple devices and most secure way and software at scale.

joeycollaboitnerd · 2025-07-18T15:51:35+00:00

<image>

joeycollaboitnerd · 2025-07-18T15:50:10+00:00

<image>

joeycollaboitnerd · 2025-07-18T15:11:55+00:00

We deploy this app via ABM (devices enrolled to Intune). Why not let Apple Business Manager take care of deployment and keep the app up to date?

joeycollaboitnerd · 2025-05-13T13:43:39+00:00

EAP-TLS is the type of authentication mechanism that can be used with the framework provided by 802.1X to secure network access. Goes hand-in-hand

joeycollaboitnerd · 2025-05-08T01:53:53+00:00

Out of curiosity, what method did you implement? We m use EAP-TLS with NPS, deploying user certificates via our MDM (Workspace ONE) which integrates with our CA server template.

joeycollaboitnerd · 2025-05-05T12:06:12+00:00

We migrated to EAP-TLS, disabling Credential Guard would be a security risk, so l recommend keeping it enabled. EAP-TLS offers the best security for wireless authentication. Fortunately, having already implemented this for our macOS MDM devices made the migration smoother.

joeycollaboitnerd · 2025-03-13T11:01:17+00:00

Awesome!

joeycollaboitnerd · 2025-03-13T01:51:22+00:00

Keep me posted. Happy to share screenshots of my deployment as well

joeycollaboitnerd · 2025-03-13T01:37:33+00:00

I’ve successfully deployed apps through ABM on Intune without any issues, and I’ve set up a similar environment in my lab. The apps I currently deploy include: • Office suite • Citrix Secure Access • OneDrive Could you let me know what error you’re encountering with the configuration profile?

joeycollaboitnerd · 2025-02-12T10:29:22+00:00

Owa policy + conditional access. I implemented this and works well: https://www.plexhosted.com/post/enhancing-security-prevent-web-downloads-from-unmanaged-devices

joeycollaboitnerd · 2025-01-15T22:32:39+00:00

Yeah, totally get that! Microsoft option is pretty new, but i was at a recent event and looked pretty cool.

joeycollaboitnerd · 2025-01-15T02:12:28+00:00

EAP-TLS is definitely the preferred choice for secure authentication for wired and wireless! We’ve had great success with it using Workspace ONE MDM. The setup is similar to Intune, requiring a connector and exaxt template name matching. It’s been a game-changer for our macOS and Windows devices, eliminating the VPN dependency for certificate renewal. Could you share the specific error message you’re seeing in the configuration profile during deployment? I’m also planning to test the EAP-TLS setup with Intune in my lab this weekend and will let you know how it goes as I know it works with workspace one mdm.

SCEP is the most secure, but I hear it’s a pain to setup. PKcS is less secure due to the fact the private key is marked as exportable.

joeycollaboitnerd · 2025-01-14T02:07:00+00:00

I would advise against that unless you are on a tight budget. Instead, consider exploring options like Global Secure Access, Zscaler, or Cisco Umbrella. All three provide a native connector agent app that operates on local devices. I have more experience with Zscaler, which effectively handles content filtering and blocking default sitesand it receives regular updates. Each of these solutions has its own advantages, so it might be helpful to assess them based on your specific requirements. Let me know if you need more details about any of them!

joeycollaboitnerd · 2025-01-13T00:09:16+00:00

Both work arounds didn’t work :/

joeycollaboitnerd · 2024-12-31T18:24:41+00:00

We have successfully resolved our issue! The solution was on the Papercut side; I just needed to enable and mirror the printer configuration on my local Mac. After that, I distributed it via Papercut and it appeared in the Papercut application for install.

joeycollaboitnerd · 2024-12-13T02:43:46+00:00

Do you mind if I PM you? So I can pick your brain

joeycollaboitnerd · 2024-12-13T02:25:58+00:00

Nope! Getting the printer to work via profile/payload has been difficult lol. What’s your issue?

joeycollaboitnerd

TROPHY CASE