Configuring Citrix Receiver with Custom Intune policies

Before I start, I can’t claim to be the brains behind all of this one as I’m simply sharing what has been shared with me and adding my own interpretations. David Inglis (@thecockneymanc) responded to a post I made on twitter as he’d been through the pain of figuring this one out but doesn’t have the platform to share this one publicly. I’ve tested and am sharing with full credit and attribution his way.

I was asked a question by someone specifically around configuration of Citrix Receiver Updates with Intune custom policy. Here I am referring to custom ADMX ingestion to effectively re-create the GPO settings that have been applied to a device, but in Intune. Microsoft Intune uses OMA-URI as a standard method used by mobile device management platforms, that doesn’t natively translate into all settings in Windows and so we have to effectively translate that into something Windows can understand. In the case of 3rd party administrative templates that have been added into group policy for configuring non-Microsoft apps, we have to either obtain the settings from the vendor (not common) or translate them with ADMX ingestion. I’m not going to cover general ADMX ingestion in this post, but you can find lots of info on that – https://lmgtfy.app/?q=microsoft+intune+admx+ingestion

For Citrix Receiver specifically, there seems to be little information out there and the question came specifically around how to set the AutoUpdate behaviour. David popped up with the answer and the secret is in the Receiver.admx file, you need to edit it before ingesting. You need to obtain the CitrixBase.admx file and the Receiver.admx file, then edit the Reciever file to cut out the ica-file-signing section.

You will see at the end of this section that you might also need to obtain the ADML files for translation. You can find all the files you need on a device that has Receiver installed.

ADMX files – C:\Users\<username>\AppData\Local\Citrix\ICA Client\Configuration
ADML files – C:\Users\<username>\AppData\Local\Citrix\ICA Client\Configuration\<language folder>

I have tested this only on Citrix Receiver version 4.11.0.17061, other versions may have differences.

Here’s what I did for AutoUpdate behaviour

I created one custom configuration policy with 3 OMA-URI Settings like so:


Citrix ADMX Ingestion
This is the difficult bit that was explained to me and is very hard to find written down it seems. The Base and the Receiver ADMX work together. We can ingest Base as it is but we must modify the Receiver ADMX. In the Receiver ADMX, you must remove the section for ica-file-signing.
From the section starting here

All the way through to here

With that section removed, you can ingest the Receiver ADMX too. So that will leave you something like this:

Name: Citrix Base ADMX Ingest
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Citrix/Policy/Base
Data type: String
Value: the whole CitrixBase.admx file

Name: Citrix Receiver ADMX Ingest
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Citrix/Policy/Receiver
Data type: string
Value: the receiver.admx file with the ica-file-signing section removed.

Name: AutoUpdates Disabled
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~ICAClient~AutoUpdate/Policy_EnableAutoUpdatePolicy
Data Type: String
Value: <enabled/> <data id=”Part_EnableAutoUpdatePolicy” value=”False”/> <data id=”Part_EnableAutoUpdatePolicy_version” value=”False”/> <data id=”Part_EnableAutoUpdatePolicy_RemindMeLater” value=”0″/>

This last one is the setting that controls the actual update behaviour, I have switched around the values from False and 0 to True and 1 and this reflects in the Citrix Receiver UI.
There may be other combinations available which you should find within the Receiver ADMX file.

There’s some more information available in here which might help you.
Configure Workspace App using Intune – Receiver for Windows 4.x – Discussions (citrix.com)

What about the rest of the settings?

As a rule of thumb, you can translate them fairly easily. Some will be easy to find the equivalent for directly in the Receiver ADMX file, but some you might need to look up in the language appropriate ADML file.

Looking at the existing group policy, find for the name of the setting in the language specific Receiver ADML file.

Example – Enable CEIP

Find the policy display name in the ADML file – Enable CEIP

Note the corresponding string id (yes there’s a typo, thanks Citrix!) – Polciy_CEIP

Match the string id to the policy name in the ADMX file. This then gives you the possible value outcomes for this setting which you should be able to match back to your original GPO setting.

From here we can make our custom OMA URI using a template like so for the OMA-URI

./Device/Vendor/MSFT/Policy/Config/<AppName>~<SettingType>~<CategoryPathFromADMX>/<SettingFromADMX>

So for this CEIP example:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Citrix~Policy~ICAClient~CEIP/Polciy_CEIP
Data Type: String
Value: <enabled/> <data id=”Polciy_CEIP” value=”0″/>

We can verify this has applied both in the Per-Setting status report in Intune and also by checking the relevant registry path on the test client. The path can be found under the ‘key’ value on the same line as your policy name in the ADMX. Of course you should also see this configured in the application if you got it right.

You should also be able to validate the application of those in the event viewer like so. If you filter on event ID 873 you should see the specific ingestion of the ADMX.

That’s it for now, hopefully that is useful for someone and many thanks again to David Inglis (@thecockneymanc) for leading me into the key on this which was to edit the ADMX file before ingesting it.

/Peter

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.