Citrix is constantly innovating with our Citrix Workspace app releases. With the launch of Citrix Workspace app 2009 for Mac, we have introduced changes to USB redirection. Let’s take a closer look at what has changed and how USB redirection works on Citrix Workspace App on Mac.

Deprecation of Kernel Extensions (KEXT)

At WWDC 2019 Apple announced the deprecation of Kernel Extensions (KEXT) in macOS Big Sur in favor of a new driver technology in the Driver Extensions (Dext) user mode. Previously, Citrix Workspace app for Mac used the KEXT for Generic USB device redirection feature, where in any connected USB device on macOS would be redirected to the Citrix Virtual Apps and Desktops sessions in a transparent way.

With this shift from Apple, Citrix has developed a solution that does not involve any KEXT to support Generic USB Redirection and further enable our users.

New Generic USB Redirection Based on Apple’s IOUSBHost User Mode Framework

We are pleased to announce that we are enabling the new Generic USB redirection stack for macOS Big Sur 11 based on Apple’s native user mode IOUSBHost framework in Citrix Workspace app for Mac 2009. This enables us to completely eliminate the need for the KEXT for Generic USB Redirection feature.

Because IOUSBHost framework is supported from macOS Catalina 10.15 onwards, the minimum macOS version required to leverage this new Generic USB stack with Citrix Workspace app for Mac 2009 is macOS Catalina 10.15.

Optimized vs. Generic USB Devices

Before we take a deep dive into Generic USB Redirection in Citrix Workspace app for Mac, it’s important to understand the difference between optimized and generic USB devices. An optimized USB device is one that Citrix Workspace has specific support for (for example, webcam redirection via the HDX multimedia virtual channel). A generic device is a USB device for which there is no specific support in Citrix Workspace app for Mac.

By default, USB devices with optimized virtual channel support cannot be redirected via Generic USB Redirection unless “Generic” mode is explicitly selected for the device. I’ll go over how this is done later in this post.

In general, you will get better performance for USB devices in “Optimized” mode than in “Generic”. However, there may be cases where a USB device may not have full functionality in “Optimized” mode so it may be necessary to switch to “Generic” to gain full access to its features.

Citrix HDX optimizes dedicated virtual channels, providing superior performance for selected classes of USB devices when compared to redirecting them in a generic way. This is due to the USB Protocol overhead present when using Generic USB device redirection. HDX optimized virtual channels should be used when possible. Please note, when using the device in generic mode, the device will not be available on the macOS.

Here is a map of the optimized Virtual Channels and corresponding class of USB devices

USB Device Class Citrix HDX optimized Virtual Channels
Mass Storage Devices Client Drive Mapping (CDM)
Webcam Multimedia Redirection
Microphone Audio Redirection
Printer Printer Redirection

Generic USB Redirection is controlled by HDX group policies and with client-side policies. You can find more information on configuring the group policies here and more information on client-side policies here.

Enabling Generic USB Redirection

Generic USB Redirection will be enabled in Citrix Workspace app for Mac as long as it’s enabled on the server to which you are connecting. By default, Generic USB Redirection is disabled in Citrix Virtual Apps and Desktops, but it can be enabled in Citrix Studio via the “Client USB device redirection” policy.

Redirecting USB Devices

The primary way to redirect a USB device into an HDX session is via the Devices menu. The Devices menu can be found in two locations in Citrix Workspace app for Mac. The first is when clicking the new Devices button on the Desktop Toolbar:

There is also a USB Devices menu in the main Citrix Viewer menu bar:

A generic USB device that is not currently redirected will appear as an enabled, unchecked menu item. A generic USB device that is currently redirected will appear as an enabled, checked menu item. An optimized USB device will appear as a disabled, checked item.

To redirect a generic USB device, select the menu item for that device. Select it again to stop redirection for that device. To redirect an optimized USB device as a generic USB device, in the menu bar, under Devices->USB Devices, select “Manage Devices” to see Device preferences, which we’ll cover in the section “Configuring USB Redirection”.

Once a USB device has been redirected to the remote session, it is no longer accessible to applications on your Mac. Only Citrix Workspace app for Mac can access the device. It’s also only possible to redirect a device to a single Citrix HDX session at a time.

Notifications

When launching a session or when plugging a new USB device into your Mac with an existing session running, Citrix Workspace app for Mac will display a notification if there are new generic USB devices that can be redirected into the session.

If you click on the notification, a dialog will be displayed listing the devices capable of being redirected.

To redirect one or more of the devices, select the devices that you wish to redirect and press the Connect button.

There are some things to note about this notification:

  • It only applies to “Generic” devices. If a device has optimized virtual channel support, the notification will not cause the notification to appear nor will the device be listed in in the dialog.
  • When plugging a new device into your Mac with an existing session running, the notification will only appear if a Citrix Viewer instance is the foreground application.

Configuring USB Redirection

Under Preferences, the “Devices” preferences pane as relates to Generic USB redirection shows the list of connected devices and their respective states.

The USB section contains a table of the currently connected USB devices, listing their device class, name, connection state, redirection state and virtual channel mode. This is a live listing and will automatically update as devices are added or removed.

From the device table, it’s possible to redirect or stop redirecting a device with the Redirect checkbox. You can also switch a device between “Generic” and “Optimized” mode via the dropdown in the Virtual Channel column.

One thing to be aware of, because it might be slightly confusing at first, is that the device table will only appear if the Preferences window is opened from Citrix Viewer. If you open it from Citrix Workspace app for Mac or the menu bar icon, the table will not be available but the USB preferences below it will.

Under the device table you have two options that you can enable based on your preference:

  • When a new device is connected while a session is running, connect the device automatically: While an active Citrix Viewer is the foreground application on your Mac and you plug a new generic USB device, it will be automatically redirected to the foreground session.
  • When a session starts, connect devices automatically: Any generic USB device that is not already redirected in another session will automatically be redirected into a newly launched session.

USB Device Policy

It’s possible that customers may want to prohibit or allow certain types of devices from being redirected. To this end, Citrix Workspace app for Mac supports two types of policies regarding the kinds of USB devices can be redirected.

The first is USB Client Policy. On Citrix Workspace app for Mac, USB Client Policy is controlled by a text file located at /Library/Application Support/Citrix Workspace/usb.conf. The default USB Client Policy in Citrix Workspace app for Mac looks like this:

# Policy file for USB remoting
#
# Lines are processed in order; the first match (ALLOW or DENY) is
# used.
#
# Syntax is an ordered list of case insensitive rules where
# is line comment
# and each rule is (ALLOW | DENY) : ( match )*
# and each match is (class|subclass|prot|vid|pid|rel) = hex-number
# Maximum hex value for class/subclass/prot is FF, and for vid/pid/rel is FFFF
DENY: vid=17e9 # All DisplayLink USB displays
DENY: class=02 # Communications and CDC-Control
DENY: class=09 # Hub devices
ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet
DENY: class=03 subclass=01 prot=01 # HID Boot keyboards
DENY: class=03 subclass=01 prot=02 # HID Boot mice
DENY: class=0a # CDC-Data
DENY: class=0b # Smartcard
DENY: class=e0 # Wireless controller
DENY: class=ef subclass=04 # Miscellaneous network devices
ALLOW: # Otherwise allow everything else

Citrix Workspace app for Mac processes this file and uses it to determine if a particular USB device should be allowed to be redirected. Those of you who are familiar with Generic USB Redirection on Citrix Workspace app for Mac or for Citrix Workspace app for Windows or Citrix Workspace app for Linux will notice that it follows the same rule format.

The second policy type is USB Server Policy. During session initialization, the server sends Citrix Workspace app for Mac the USB Server Policy. Like the USB Client Policy, the USB Server Policy is processed and used to determine if a particular USB device can be redirected. USB Server Policy can be configured in Citrix Studio via the “Client USB device redirection rules” policy.

For more information on this feature, check out our product documentation. Download Citrix Workspace app 2009 for Mac today to start testing this in your environments!