Citrix XenDesktop 7.17 and XenApp 7.17 released
Citrix have released a new version of Citrix XenDesktop 7.17 and XenApp 7.17 and is now available for download.
I am pretty excited about this release because HDX 3D pro have also been improved with h265 it’s handled selectively for appropriate regions of a session for the best possible combination of quality and performance with Selective H.265 Encoding with NVIDIA Hardware. Another great news is that XenServer 7.4 finally supports vGPU Xenmotion with NVIDIA Pascal GPU’s and also now supports AMD MxGPU.
Customers that are using Linux can now use Citrix Linux VDA 3D Pro with NVIDIA pascal GPUs such as P4, P40, P6, P100. The Citrix Linux VDA 3D Pro works now with NVIDIA vGPU for NVIDIA pascal GPUs and also supports vGPU hardware encoding, which means more hardware encoding is done on GPU with HDX and not on CPU, this new feature will resolve more CPU ressource available, which application can benefit from and also means better user experience.
Citrix raises the bar of for user experience and new product release of following technologies:
- Virtual Delivery Agents 7.17 for ServerOS and ClientOS
- Virtual Delivery Agent 7.17 for Linux
- Self-Service Password Reset 1.1.10
- Director 7.17
- Profile Management 7.17
- Storefront 3.14
- Provisioning Services 7.17
- Session Recording 7.17
- App Layering 4.9
- XenMobile Server 10.8
- XenServer 7.4
- Licensing 184.108.40.206
- Receiver 4.11 for Windows
- AppDNA is now deprecated for current release.
Citrix continues to maintain current support levels as described in XenApp and XenDesktop Servicing Options.
What’s new in XenApp and XenDesktop 7.17
This product release includes the following new, modified, and enhanced features.
Install and upgrade VDAs: additional restart
An additional restart occurs when upgrading a VDA to version 7.17 (or a later supported version). This restart is required after the installer removes one of the MSIs (ICA WS/Ts) and then installs the new version of that MSI.
Install and upgrade VDAs: VDA supportability tools option
When you install a VDA, you can now choose whether to install a VDA supportability MSI that includes Citrix tools. You can use the tools to check items such as the overall health of your VDA and connection quality. In the installer’s graphical interface, select or clear a check box on the Additional Components page. In the command line interface, use the /exclude “Citrix Supportability Tools” to prevent installation of the MSI that contains the tools.
Install and upgrade VDAs: Removal of PDF printer driver option
The VDA installers no longer offer options to control Universal Print Server PDF printer driver installation. The PDF printer driver is now always installed automatically. When you upgrade to the 7.17 VDA (or a later supported version), any previously installed Citrix PDF printer driver is automatically removed and replaced with the latest version.
Launch applications from a published desktop
When users launch a published application from within a published desktop, you can use PowerShell to control whether the application is launched in that desktop session or as a published application in the same Delivery Group. By default, the application in the published desktop session is launched. For details, see Control local launch of applications on published desktops.
Federated Authentication Service
The Citrix Federated Authentication Service released with XenApp and XenDesktop 7.17 stores its configuration data, including user and registration authority certificates, in an embedded database. In previous releases, this data was stored in the registry. When upgrading to this release, all Federated Authentication Service configuration data except user certificates is migrated from the registry to the embedded database. Therefore, we recommend that before upgrading, you erase all user certificates with the following FAS PowerShell command:
PIV smart card authentication support. Apart from the form based and Integrated Windows authentication of users, Director now supports Personal Identity Verification (PIV) based smart card authentication. This feature is useful for organizations and government agencies that use smart card based authentication for access control.
To log on to Director, insert your smart card into the smart card reader, and enter your smart card token. After you are authenticated, you can access Director without having to provide additional credentials on the Director logon page.
For more information on the configuration required for smart card based authentication, see Configure PIV smart card authentication.
For more information on using Director with smart card based authentication, see the Use Director with PIV based smart card authentication section in the Director article.
Virtual Delivery Agents (VDAs) 7.17 for Win/Server OS
Version 7.17 of the VDA for Server OS and the VDA for Desktop OS include the following enhancements:
- Browser content redirection blacklist. You can create a blacklist policy along with the existing Access Control List (ACL) policy. The URLs in this blacklist policy aren’t redirected. For example, you add a company’s URL to the whitelist, but you don’t want a specific URL at the company website to be redirected. Add that specific URL to the blacklist and browser content redirection doesn’t occur for that URL. For more information, see Browser content redirection.
- Browser content redirection video fallback prevention. If client redirection fails, you can prevent fallback of HTML5 videos to the server side. Use the existing Windows media fallback prevention policy to prevent server side rendering of video elements. Setting this policy suppresses only the video elements and not the HTML content of the page. The HTML content is rendered on the server. For more information, see Browser content redirection.
- Citrix webcam video compression for 64-bit applications. Support for 64-bit Citrix webcam video compression is available.
Important: The 64-bit application support requires H.264 compression.
- Lossless compression codec (MDRLE).In XenApp and XenDesktop 7.17, Citrix added a higher compression ratio MDRLE encoder that consumes less bandwidth in typical desktop sessions than the 2DRLE codec.Lower bandwidth usually means improved session interactivity (especially on shared or constrained links) and reduced costs. For example, the expected bandwidth consumption when using the MDRLE codec is approximately 10–15% less compared with XenApp and XenDesktop 7.15 LTSR for typical Office-like workloads.Configuration isn’t required for the MDRLE codec. If Citrix Receiver supports MDRLE decoding, the VDA uses the VDA MDRLE encoding and the Citrix Receiver MDRLE decoding. If Citrix Receiver doesn’t support MDRLE decoding, the VDA automatically falls back to 2DRLE encoding.MDRLE Requirements
- XenApp and XenDesktop minimum version 7.17 VDAs
- Receiver for Windows minimum version 4.11
- Show or hide the remote language bar. The language bar displays the preferred input language in an application session. If this feature is enabled (the default), you can show or hide the language bar from the Advanced Preferences > Language bar UI in Citrix Receiver for Windows. You can disable this feature using a registry setting on VDA side. For more information, see “Show or hide the remote language bar” in the HDX article and Improve the user experience.
- Text-based session watermarks to deter and track data theft. This feature allows you to configure textual watermarks containing information to help track data theft. This traceable information appears on the session desktop as a deterrent to those using photographs and screen captures to steal data.
Virtual Delivery Agent (VDA) 7.17 for Linux
Version 7.17 of the Linux VDA includes the following new features and enhancements:
Previously available as an experimental feature, adaptive transport is a fully supported feature in this release. Adaptive transport is a new data transport mechanism for XenApp and XenDesktop. It is faster, more scalable, improves application interactivity, and is more interactive on challenging long-haul WAN and internet connections.
Pass-through authentication with smart cards
Users can use a smart card connected to the client device for authentication when logging on to a Linux virtual desktop session. The smart card can also be used within the session, for example, to add a digital signature to a document, to encrypt or decrypt an email, or to authenticate to a web site that requires smart card authentication. For more information, see Pass-through authentication with smart cards.
Support for NVIDIA Pascal GPUs and vGPU hardware encoding
Starting with this release, Linux VDA 3D Pro supports vGPU for NVIDIA Pascal GPUs (Tesla P40) and vGPU hardware encoding. For information about graphics configuration, see Configure graphics.
Dynamic keyboard layout synchronization
This feature automatically synchronizes the keyboard layout of the VDA with that of the client device. Anytime the keyboard layout on the client device changes, the layout on the VDA follows suit. For more information, see Dynamic keyboard layout synchronization.
DTLS encryption for secure user sessions
With this release, Citrix is introducing DTLS to all supported Linux platforms as an experimental feature. For more information, see Secure user sessions using DTLS.
SUSE 12.3 instead of SUSE 12.2 is supported in this release. The following are the new dependencies for SUSE 12.3.
Self-Service Password Reset 1.1.10
This release addresses a number of issues that help to improve overall performance and stability.
Profile Management 7.17
This version includes the following new feature and addresses several issues to improve the user experience.
Synchronize file security attributes. Security attributes can be synchronized when Profile Management copies files and folders in a user profile between the system on which the profile is installed and the user store. This feature is enabled by default. For details, see Synchronize file security attributes.
- Support for the control of local application launch on published desktops. For more information, see CTX232210.
- StoreFront support for TLS 1.0 and TLS 1.1 protocols between XenApp and XenDesktop and Citrix Receiver, and Workspace Hub. Citrix recommends upgrading Citrix Receivers to a version which supports the TLS 1.2 protocol. For more information on TLS support with Citrix Receivers, see CTX23226. For full the list of Deprecation announcements made in XenApp and XenDesktop 7.17, see Deprecations.
Provisioning Services 7.17
This release includes fixes and improvements to the XenDesktop Setup Wizard with enhancements to the Active Directory group enumeration method.
Provisioning API improvements
The Provisioning Services Console contains the XenDesktop Setup Wizard, which provides integration tasks between Provisioning Services, XenDesktop and Windows Active Directory. The Wizard, accessible from the PVS Console, creates the VMs and any necessary objects in PVS, XenDesktop and Windows Active Directory. This implementation was limited due to the absence of an exposed API, without it, PVS users could not execute various automated testing paradigms in their environments.
At this release, XenDesktop Setup Wizard and Streamed VM Wizard functionality are exposed with a new service on the PVS Server through a Powershell API. This API provides a PowerShell front end that can be used to automate the functionality provided by the Streamed VM Setup Wizard and the XenDesktop Setup Wizard.
The PVS API servivce uses a SSL connection which requires you to configure a X.509 certificate on the PVS server.
Configure X.509 certificate
The PVS API service uses a SSL connection requiring a X.509 certificate on the PVS server. The certificate’s CA certificate must also be present on the PVS server and console machine.
To create a self-signed certificate for PVS API:
- Download and install the Windows SDK for your PVS Server operating system.
- Open a command prompt and navigate to the bin folder of the SDK. By default: C:\Program Files (x86)\Windows Kits\SDK_Version\bin\x64>.
- Run the following commands:
a. Create a certificate to act as your root certificate authority:
makecert -n “CN=PVSRootCA” -r -sv PVSRootCA.pvk PVSRootCA.cer
b. Create and install the service certificate:
makecert -sk PVSAPI -iv PVSRootCA.pvk -n “CN=FQDN of the PVS Server” -ic PVSRootCA.cer -sr localmachine -ss my -sky exchange -pe
c. Install the root CA certificate in the Trusted Root Certification Authorities location on the server and console Machines:
certmgr -add “PVSRootCA.cer” -s -r localMachine Root
4. Run the Configuration Wizard. On the Soap SSL Configuration page, select the certificate created.
When you run the PowerShell commands, use the “FQDN of the PVS Server” for PvsServerAddress and 54324 (default) for PvsServerPort.
Using the PVS API
After installing the latest Provisioning Services Server:
- Run the configuration wizard.
- Open the Services window on the PVS Server and verify that the PVS API is installed and configured to run as a PVS administrator:
PVS administrative privileges are configured as the same SOAP user.
3. Open a PowerShell window on your PVS server:
a. Import-Module, C:Program Files\Citrix\Provisioning Services\Citrix.ProvisioningServices.dll
The image below illustrates command options available at this release:
c. Ping the PVS API service:
Get-PvsApiServiceStatus -PvsServerAddress <FQDN of PVS Server> -PvsServerPort <Port PVS API is configured to listen on>
The PVS server port number is the one used for SOAP server communication.
d. Login to the PVS API (use either of the following commands):
Use Domain/Username/Password parameters:
Get-PvsConnection -PvsServerAddress <FQDN of PVS Server> -PvsServerPort <SOAP Port +1 PVS API is configured to listen on> -Domain <PVS Admin Domain> -Username <PVS Admin username> -Password <PVS Admin password>
Use Pass-in PSCredential object:
Get-PvsConnection -PvsServerAddress <Address of PVS Server> PvsServerPort-Credentials <PSCredential Object returned by Get-Credential>
The following cmdlets are included with the new PVS API implementation:
- Get-PvsApiServiceStatus. Pings the service to determine whether the service is up and running at a particular address/port.
- Get-PvsConnection. Log into the PVS API.
- Clear-PvsConnection. Logout of PVS API; this adds the Auth Token to the blacklist.
- Start-PvsProvisionXdMachines. Used for XenDesktop Setup Wizard automation.
- Start-PvsProvisionMachines. Used for Streaming VM Setup Wizard automation.
- Get-PvsProvisioningStatus. Uses the ID returned from either of the previous two commands to get the status of the current provisioning session.
- Stop-PvsProvisionMachines. Uses the ID returned from either of the previous two commands to cancel the current provisioning session.
Examples for these Powershell cmdlets can be accessed using the Get-Help CommandName –Examples:
The rest of the PowerShell cmdlets are all part of the DatabaseAccess layer.
PVS API authentication
When connecting to the API using the Set-PvsConnection PowerShell command, a connection object is returned, resembling the image below:
Enhanced multi-tier Active Directory group search
Within Provisioning Services, the user access control method is based on the user’s Active Directory login credentials and the PVS administrative group configuration. As a result of this method, AD group enumeration is repeatedly triggered by events associated with Configuration Wizard and Console operations; in complex AD environments where spurious logins can occur, the system can become sluggish, with slow responses resulting in connection timeouts to the PVS Console. This release resolves such issues by improving the method responsible for AD group enumeration.
Prior to this release, AD group enumeration occurred by scanning memberships associated with the user’s login in its domain and the entirety of the trusted domains until all the user’s group memberships are determined, or if there are no additional domains to search. The identified groups are compared to the PVS administrative groups defined in the database to determine the user’s access rights.
With this release, AD group enumeration has been enhanced to intelligently search preferred domains for a user’s login memberships, rather than searching the entirety of groups over all domains. The PVS administrative group name associated with the user’s login credential is used to provide the preferred domain list. The user’s domain list is searched first, followed by the preferred list; during this search, if a Farm’s administrative group is discovered, the search halts because the user already has full access rights to the PVS Farm. This new search paradigm also includes a mechanism that uses the domain security ID to verify if the domain contains the intended groups. This modified searching approach of domains for a user’s login membership should address the needs of most AD environments, resulting in faster Configuration Wizard and Console operations.
Modifying the search approach
For some special AD environments, typically those with complex nested groups and indirectly related over-trusted domains, the default search method may be unable to find the user’s expected PVS administrative memberships. To resolve such scenarios, a registry setting has been added enabling you to change the search approach:
- In the registry setting, locate HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ProvisioningServices.
- Create a DWORD named “DomainSelectOption”.
- In the DomainSelectOption DWORD, set one of the following values (in decimal format) for the desired search approach:
0 – The default search. This method searches the user’s domain followed by PVS administrative group domains.
1 – Search in the user’s domain and in the PVS administrative group domain, followed by other trusted domains within a user’s domain.
2 – Obsolete.
3 – Search in the user’s domain followed by PVS administrative group domains; the groups that are discovered are further enumerated over the parent’s domain.
4 – Search the user’s domain and in the PVS administrative group domain, followed by other trusted domains within a user’s domain; the groups that are discovered are further enumerated over the parent’s domain.
For more information, see the Provisioning Services 7.17 documentation.
Session Recording 7.17
The insertion of USB mass storage devices can be logged. As of the 7.17 release, Session Recording can log the insertion of a Client Drive Mapping (CDM) mapped or generic redirected USB mass storage device in a client device where Citrix Receiver for Windows or for Mac is installed, and can tag the event in the recording. For more information, see Log insertion of USB mass storage devices.
App Layering 4.9
This release includes the following improvements.
- Nutanix connector. The Nutanix connector now supports Nutanix AHV 5.5!
- ShareFile downloads. You can now save changes to files downloaded using Citrix ShareFile. You can save changes once you install ShareFile Drivemapper 3.10, released in Dec 2017. (UNI-55850)
- CentOS security patches. The latest security patches from CentOS have been incorporated into the App Layering appliance.
- Windows registry when adding a new version to an existing App layer. An issue is fixed that occurred in a few cases when adding a new version to an existing layer. The issue, which affected existing layers if they had Windows registry keys that included a very high number of subkeys, caused portions of the registry to be dropped. This no longer happens. (UNI-62404)
Labs features in this release
Labs features are previews of functionality planned for future releases. While a feature is in Labs, you should not use it in production. You must enable each of these features in System > Settings and Configuration before you can use them. In this release:
- User Layers. User layers let you persist user profile settings, data, and user-installed applications in non-persistent VDI environments. This feature is supported in Windows 7 64-bit and Windows 10 64-bit environments for Citrix XenDesktop, VMware Horizon View, and View JIT.
- App layers can be elastically assigned to layered images that use a different OS layer. Until now, elastic layer assignments required that the App layer assigned use the same OS layer that was used to create the App layer. Now you can elastically assign App layers using other OS layers available on your App Layering appliance. There is no guarantee that the app layer will work on a different OS layer, but now you can try it. If it does not work, then disable this feature on the layer and only use the OS that the app layer was created with. In addition, you must use the original OS layer when adding versions to your application layer.
For information about Citrix App Layering -supported platforms, see System requirements.
You can upgrade from any previous Citrix App Layering 4.x version to the current release
XenMobile Server 10.8
XenMobile Server 10.8 includes the following new features:
- Install offline maps on supervised Windows 10 phone devices
- New restrictions for supervised devices running iOS
- Set how app notifications appear on iOS devices
- Support for the new Cisco AnyConnect VPN client for iOS
- FileVault device encryption on enrolled macOS devices
- Support for Samsung Enterprise Firmware-Over-The-Air
- Enhanced security for work profiles for Android for Work
- Unenrolling an Android for Work enterprise
- Specify the behavior when Android for Work apps request dangerous permissions
- SNMP Monitoring
- Support for the Microsoft JDBC driver for SQL Server
- Server property changes to improve server tuning
- Optimized device property search
- Other improvements
XenServer 7.4 is a Current Release (CR). The Current Release model allows customers to consume new features at the earliest possible juncture. This contrasts with the Long Term Service Release (XenServer 7.1 LTSR), which guarantees stability in terms of the feature set within XenServer. XenServer 7.4 is available in the following editions:
- Standard Edition
- Enterprise Edition
- Free Edition
GPU vendor support
The following table summarizes GPU and shared GPU support for guests at XenServer 7.4
New Features and Improvements in XenServer 7.4
XenServer 7.4 introduces enhanced features and functionality for application, desktop, and server virtualization use cases. All XenServer 7.4 features are available to all licensed XenApp/XenDesktop customers.
vGPU XenMotion (Enterprise Edition)
You can migrate VMs with vGPUs between hosts without shutting the VMs down, allowing administrators to take advantage of XenMotion with vGPUs attached. vGPU XenMotion is available upon release of supported software and graphics cards from GPU vendors (see the Hardware Compatibility List). In addition to XenMotion, Storage XenMotion and VM suspend with vGPUs attached have also been enabled in this release for VMs using supported software and graphics cards.
With the addition of support for AMD’s virtualized graphics solution, XenServer continues its leadership in the virtualized graphics domain. XenServer customers can use AMD MxGPU on provided by the AMD FirePro S7100-series GPUs. Please see the list of supported hosts on the Hardware Compatibility List.
For more information, see Configuring Citrix XenServer 7.4 for Graphics.
XenServer Entitlement for Citrix Cloud XenApp and XenDesktop Service Subscribers
If you have a Citrix Cloud XenApp and XenDesktop Service subscription that enables the use of onpremises Desktops and Apps, you are entitled to use XenServer for hosting these Desktops and Apps. XenServer 7.4 enables the required licensing to use this feature. With this license you can use all of the same premium features as with an on-premises XenApp and XenDesktop entitlement. Download a license through the licensing management tool. Install this license on your License Server to use on-premises XenServer with your XenApp and XenDesktop Service subscription.
Licensing Server 220.127.116.11 (build 23101)
Citrix Licensing Manager Enhancement. Simplify data export by allowing you to select all products, all license models, and all Customer Success Services (Subscription Advantage) dates. Previously, you had to select a specific product, model, and Customer Success Services date range.
uadmin.exe enhanced reporting output. uadmin.exe output provides better reporting and display of User/Device license use. The .cvs file format reflects this enhancement. For more information, see Licensing commands.
Receiver 4.11 for Windows
Local launch of the application in a double-hop scenario using vPrefer
In earlier releases, you could specify that the instance of an app installed on the VDA (referred to as local instance in this document) must be launched in preference to the published application by setting the KEYWORDS:prefer=”application” attribute in Citrix Studio.
Starting with this release, in a double-hop scenario (where Citrix Receiver is running on the VDA that is hosting your session), you can now control whether Receiver launches the local instance of an application installed on the VDA (if available as a local app) in preference to launching a hosted instance of the application.
vPrefer is available on StoreFront Version 3.14 and XenApp 7.17 and later.
When you launch the application, Citrix Receiver for Windows reads the resource data present on the StoreFront server and applies the settings based on the vprefer flag at the time of enumeration. Citrix Receiver for Windows searches for the installation path of the application in the Windows registry on the VDA and, if present, launches the local instance of the application. Otherwise, a hosted instance of the application is launched.
If you launch an application that is not installed on the VDA, the hosted application is launched. For more information on how the local launch is handled on StoreFront, see Control of local application launch on published desktops in StoreFront documentation.
If you do not want the local instance of the application to be launched on the VDA, set the LocalLaunchDisabled to True using the PowerShell on the Delivery Controller.
This feature helps to launch applications faster, thereby providing a better user experience. You can configure it by using the Group Policy Object (GPO) administrative template. By default, vPrefer is enabled only in a double-hop scenario.
For more information on configuring vPrefer, see Configuring vPrefer launch using the GPO administrative template.
Show or hide the remote language bar
Starting with this release, you can choose to show or hide the remote language bar in an application session using the graphical user interface. The language bar displays the preferred input language in a session. In earlier releases, you could change this setting using only the registry keys on the VDA. Starting with Citrix Receiver for Windows Version 4.11, you can change the settings using the Advanced Preferences dialog in Citrix Receiver for Windows. The language bar appears in a session by default.
For more information, see Language bar.
This feature is available in sessions running on VDA 7.17 and later.
Support for Visual Studio 2017
Starting with this release, Citrix Receiver for Windows is built with Visual Studio 2017 Compiler.
If you are using a custom Virtual Driver with earlier versions of Virtual Channel SDK, you must recompile it using Visual Studio 2017 and the latest version of Virtual Channel SDK.
Support for Lossless compression codec (MDRLE)
A higher compression ratio MDRLE encoder is added to Thinwire. The MDRLE codec consumes less bandwidth in typical desktop sessions than the 2DRLE codec. If the codec is supported on the server and client sides, it’s used instead of 2DRLE. For more information, see the Thinwirearticle.
In Citrix Receiver for Windows 4.10 and earlier, there were three Thinwire bitmap encoding modes used for server OS and desktop OS VDA graphics remoting:
- Full-screen H.264
- Thinwire Plus
- Thinwire Plus with selective H.264
In a typical desktop session, most of the imagery is simple graphics or text regions. When any of the three bitmap encoding modes listed are used, Thinwire selects these areas for lossless encoding using the 2DRLE codec. Citrix Receiver for Windows decodes these elements using the Citrix Receiver-side 2DRLE decoder for session display.
In Citrix Receiver for Windows 4.11, a higher compression ratio MDRLE encoder is supported that consumes less bandwidth in typical desktop sessions than the 2DRLE codec.
Lower bandwidth usually means improved session interactivity (especially on shared or constrained links) and reduced costs.
No configuration is required for the MDRLE codec. If Citrix Receiver supports MDRLE decoding, the VDA uses the VDA MDRLE encoding and the Citrix Receiver MDRLE decoding. If Citrix Receiver doesn’t support MDRLE decoding, the VDA automatically falls back to 2DRLE encoding.
- XenApp and XenDesktop minimum version 7.17 VDAs.
Browser content redirection
Browser content redirection redirects the contents of a web browser to a client device and creates a corresponding browser embedded within Citrix Receiver. This feature offloads network usage, page processing, and graphics rendering to the endpoint. Doing so improves the user experience when browsing demanding web pages, especially web pages that incorporate HTML5 or Flash video.
For more information see Browser content redirection in XenApp and XenDesktop documentation.
Download Citrix XenDesktop 7.17 and Citrix XenApp 7.17 here (requires MyCitrix ID)
Download Linux VDA 7.17 here (requires MyCitrix ID)
Download Citrix Storefront 3.14 here (requires MyCitrix ID)
Download Citrix Profile Management 7.17 here (requires MyCitrix ID)
Download Citrix Provisioning Services 7.17 here (requires MyCitrix ID)
Download Citrix Licensing 18.104.22.168 here (requires MyCitrix ID)
Download Citrix App Layering 4.9 here (requires MyCitrix ID)
Download Citrix XenMobile Server 10.8 here (requires MyCitrix ID)
Download Citrix XenServer 7.4 here (requires MyCitrix ID)