Citrix Workspace For Mac High Sierra

pre-introduction | you guys...

Since i upgraded to High Sierra, citrix crashes each time i try to use it this has been working flawlessly before I un-installed Citrix using the uninstaller on the installation disk, and re-installed it. Im running this through Safari 11.0.2 Citrix Receiver version 12.8.1 MacOs 10.13.2 I attach.

SRS CITRIX ADMINISTRATORS 10/20/20 CITRIX USER ACCESS – SETUP INSTRUCTIONS FOR A MAC COMPUTER 1 kmr Citrix USER ACCESS – Setup Instructions Apple Mac computers Contents: I. Citrix Applications and Desktops: Rules of Behavior II. Frequently Asked Questions and Notes III. Installing Citrix Workspace App IV. Citrix Files Drive is Unavailable. Citrix Files gives you access to the files on your Workspace account by making them available as a storage drive (like an SD card or a thumb drive). This drive needs to mount itself into your Mac's file system before files can be accessed from Citrix Files. Dec 14, 2018 Citrix Workspace app for Mac overview High performance web and self-services access to virtual apps and desktops. Configure for anywhere access from your desktop or web access with Safari, Chrome or Firefox. Outlook for mac 10.13 high sierra. As of September 25, 2017, macOS 10.13 High Sierra is publicly available for all Mac users to install. Office 2016 for Mac is fully supported on High Sierra. For the best experience, we recommend you update Office to version 15.38 or later.

On 28 March 2020, I started tracking how many visitors have come to this page. I thought it might be a fun piece of data to have!

Today is 17 JAN 2021 and I just checked the logs...

  • 2,263 unique users
  • 4,011 sessions

What a humbling number. Also, the average session duration is only 3:16 which means you guys are FLYING through these instructions!

This website started as a quick way to share setup instructions. It's neat to see it thriving!

Anyway, just wanted to say thanks...on to the instructions.

introduction | mac & pc

This page was created to help users access AVHE medical applications and DEE Webmail from home.

It was started to help Mac users access these applications but I have added some information for Windows users as well.

I know it can get technical and a bit wordy, but please try to follow these instructions in order and do specifically what they ask you to do.

Each blue section header is labeled with Mac and PC so you know if the section applies to your platform.

If you find yourself stuck, send me an e-mail. My contact information is in the Outlook Global. I'm the only Lt Col Jacob Wessler in there.

Please include a screenshot of your current error. (Mac Screenshot Instructions | PC Screenshot Instructions)

Good luck!!
Jacob

jump to section

  • Should I use a Mac or a PC? | mac & pc
  • What CAC reader should I get? | mac & pc
  • Gatekeeper and Installing Software | mac
  • Enable your CAC reader | mac
  • DOD Certificates | mac & pc
    • Trust Certs | mac
    • InstallRoot | pc
  • CITRIX Workspace App | mac & pc
  • Which Browser Should I Use | mac & pc
  • AVHE | mac & pc
    • New AVHE User | mac & pc
  • DHA Desktop | mac & pc
  • Webmail | mac & pc
  • Troubleshooting | mac & pc
    • Clear Keychain | mac
    • Google Chrome Bug | mac & pc
    • Client Auth Error | mac & pc
    • White Screen of Death | mac & pc
    • PC Certificate Errors | pc
  • Version Archive | mac & pc

mac or pc | mac & pctop

This is a great place to start.

You can get AVHE and the DHA Clinical Desktop working on any modern macOS or Windows machine. Some take a little more work than others but you can have success with either.

Some people feel that Windows works better because a lot of the CAC reader software is included by default. This is changing with macOS, though, and, starting with macOS Catalina, SmartCard Services are included out of the box.

So, you can do it with just about any computer.

Except Chromebooks. NEVER Chromebook. You can't get a good CAC reader for Chromebooks. Many have tried. They have all failed!

So, I advise people to stick with what they have. You can get it to work. If you decide to bail on macOS, you can find a cheap PC somewhere that should work for checking e-mail every now and then!

what CAC reader should I get? | mac & pctop

Get one of these two CAC readers. (click the links to shop at Amazon. These are NOT affiliate links. I don't make any money from you clicking them.)


SCR3500 USB reader

PC USERS - Some folks still have success with the SCR331. But, you'd be safer buying a new one.
MAC USERS - Stay away from the SCR331. It's pretty old and doesn't play well with the current setup.
It looks like this:


SCR331 USB reader

gatekeeper and installing software | mactop

Apple has a safety feature called Gatekeeper. This program prevents you from installing potentially dangerous software. Basically, any software that is NOT sold directly from Apple is considered dangerous. In order to install certain programs (like the CAC enabler software and CITRIX), you may need to disable Gatekeeper.

Go to this article from Apple to learn how to disable Gatekeeper or bypass it for one application. If you disable it, please re-enable it after installing CITRIX.

It's safer that way.

enable your CAC reader | mactop

Before we talk about CAC enablers, we need to know which version of macOS you are running.

To find your operating system, click the Apple icon in the top left corner of your screen and select 'About this Mac.' The pop-up will tell you what version is installed (ex: Version 10.13.6).

If you have macOS 10.15 or later, read subsection 1. If you have 10.14 or earlier, read subsection 2.

subsection 1 - macOS 10.15 and later

For macOS 10.15 (Catalina) and later, you CANNOT install a CAC enabler. The operating system has built-in software to read your CAC. You will still need to install the DoD Certificates and CITRIX, though.

1) If your computer is BRAND NEW with macOS 10.15 or later and you have never installed a CAC enabler on it - DON'T INSTALL ONE. You can skip ahead.

2) If your computer is older and you upgraded to 10.15 (or later), you may need to remove any old CAC enablers and re-enable SmartCard services (if you disabled it).

Go to this article from MilitaryCAC.com and follow the instructions to remove any old CAC enablers you may have installed on your computer. (If you bought a brand new computer with macOS 10.15 installed, you can skip this step.)

If you have previously disabled the included SmartCard services in macOS 10.13 Sierra or later, you will need to re-enable those services. Those instructions are at the very bottom of this page in NOTE3.

subsection 2 - macOS 10.14 and earlier

For macOS 10.14 or EARLIER (Mojave, High Sierra, Sierra, etc), you will need to install a CAC enabler. If you have macOS 10.15 (Catalina) installed READ THE PART ABOVE FOR macOS 10.15!!!

Now that you have a CAC reader, you have to install some software to make it work with your Mac.

To choose the right software, we need to know if you have a Gemalto or an Oberthur CAC. Look on the back at the top of the card. There is a small strip of numbers and words. Look for the word Gemalto or Oberthur.

Go to this site and find the right CAC enabler for your CAC type and your Mac operating system.

Citrix workspace for mac high sierra

I start with CACKey. I have had good success with it and use it first. It's free so that's a big selling point!

PKard is another good option (and has its apostles) but you have to buy the software (~$40). I have had success with CACKey for the past 8 years. You can likely get away without having to pay for PKard, but it is available as a last resort.

Note: You may need to disable gatekeeper to install the software.

Now we need to make sure your CAC reader is working. Plug your reader into your computer, put your CAC in the reader, and open Keychain Access. (Click the magnifying glass in the top right of your screen and type in Keychain. Select Keychain Access)

Above the login item in the top left corner should be your name or PIV_II or something similar (depending on your CAC).

Click ONCE on that listing (you cannot unlock your CAC card...nor do you need to) - if you can see a bunch of certificates on the right side of the window, some with your name and some without, then you were successful. If not, go back and download a different enabler. Make sure that enabler works with your CAC and macOS version.

dod certificates | mac & pctop

This has become one of the biggest hurdles for new users to get over.

Make sure you follow these instructions closely. If you have already installed the DoD Certificates and you are getting SSL or connection errors, please install the certificates again using these links and these instructions.

These DoD certificates are DIFFERENT than the certificates on your CAC. You need to have the right DoD certificates installed on your computer in order for your computer to talk to the DoD servers.

The DOD updates their certificates every now and then and you need to make sure that you have the most current certificates installed and trusted on your computer.

mac Users

Download the AllCerts.zip file.

Go to your Downloads folder and find the AllCerts.zip file.

If it hasn't expanded to a folder, double-click it. I already double-clicked mine so you can see what the folder looks like.

Double-click the folder to open it and see all the certs

Press Command-A to select all the certs in the folder. Then press Command-O (that's an 'o' not a zero) to open them all.

You will see a dialog box asking if you want to import the certificate. Make sure that 'login' is selected in the drop-down box. Click Add for each certificate (there are a lot of them).

trust those dod root ca certificates

HOLY COW - DO NOT SKIP THIS PART! SERIOUSLY, THIS IS 90% OF THE ERRORS PEOPLE E-MAIL ME ABOUT!!

Open Keychain Access (click the magnifying glass in the top right of your screen and type in Keychain. Press Enter when Keychain Access appears.)

Scroll down until you find the DoD Root CA certificates. Most likely, yours will have red xs by them.

Select all of the ones with red xs (Hold down Control while you click them individually) then press Command-I (that's an 'i') to edit them.

In the window that opens, click the gray triangle next to Trust. Select Always Trust from the first drop-down box.

Click the red circle in the top left corner to close the window. Enter your computer password to accept the change.

Do this for all the DoD Root CA certs until they have blue plusses next to them.

You are now done with the DoD Certificates part of the installation. You may continue on with the CITRIX instructions.

pc users

YOU TOO! THIS IS A VERY IMPORTANT STEP! DON'T SKIP IT!

You need to install the DoD Certificates for your computer. There is a program that will do this for you. It is called InstallRoot.

Go to this page at MilitaryCAC.com and scroll down to the section on InstallRoot (it's a small scroll).

Download the MilitaryCAC (.msi version) to your computer. Find the file. Double-click on it to run it.

Follow the prompts to install the DoD Certificates.

download CITRIX | mac & pctop

Moving along now.

We need to download the CITRIX software to talk to the AVHE servers. Because the software is changing so often, I will direct you to the CITRIX site to download the latest software.

Click here to go to the CITRIX downloads page.

Once there, click on the 'Select Product...' drop-down and select 'CITRIX Workspace App' from the list. On the next page, select 'Workspace App for Mac' or 'Workspace App for PC' from the list. (One user had to download the Workspace App Universal version on PC)

Download the newest version of CITRIX Workspace App and install it.

Note: You may need to disable gatekeeper to install the software.

citrix add an account dialog box

After installing the CITRIX Workspace App, you may get a dialog box asking you to 'Add Account.'

IGNORE this dialog box. Just click cancel and close the app. When you go to AVHE, the plugin will automatically load. You don't need to do anything with this dialog box. Your DoD e-mail account won't work so don't even bother trying it!

which browser should I use | mac & pctop

mac users

I recommend using Google Chrome to access Webmail and AVHE. It just works better.

Chrome is not available in the Mac App Store. You can download it here.

When trying to connect to the AVHE site, you may get an error page stating that your connection is not private. If so, see the Google Chrome Bug troubleshooting tips.

pc users

Most PC users have done okay with Google Chrome but I have seen more and more people need to use Microsoft Edge.

If you are having trouble using Google Chrome, consider trying Microsoft Edge instead.

AVHE | mac & pctop

AVHE stands for Application Virtual Hosting Environment and is used to connect to clinical applications. This means AHLTA, CHCS, and Essentris.

This system uses the CITRIX Workspace App to run applications on your desktop.

You already installed CITRIX, right?

RIGHT?!

Okay...good.

new AVHE user | mac & pc

If this is your FIRST time EVER using AVHE, you need to contact the Global Service Center (GSC) and have them create your account.

Send an e-mail to dhagsc@mail.mil and ask them to create an AVHE account for you.

It is best if you can send this from your DoD E-mail account but you don't have to.

Tell them that you need access to AHLTA, CHCS, and ESSENTRIS in your e-mail because they will likely ask.

If you've used AVHE at a previous command or you have the e-mail from the Global Service Center telling you your account is created, then you can continue.

You can connect to AVHE using this link: https://avhe.health.mil

Note: AVHE links used to be site specific. This is no longer the case. One URL for EVERYONE!

You will be presented with a drop-down asking you to select your CAC certificate.

Select your PIV certificate (DOD ID CA-XX; the numbers may be different for your CAC. That's okay.)

THIS STEP HAS CHANGED! We used to log in with the DOD E-MAIL certificate but now we use the DOD PIV certificate. Go figure.

Mac users will be presented with a dialog box asking for Keychain access. This is asking for your CAC PIN. Do not enter your computer password here. It is your 6-8 number CAC PIN.
PC users will be presented with a dialog box that looks like the one at work. Make sure you select your authentication certificate.

If things are going well, and this is your first time on AVHE, then you should see a Detect Receiver page.

Click the Detect Receiver button there in the middle. It's the blue one. Don't be shy!

Next, you'll see a window pop-up asking if you want to Open the Citrix Workspace Launcher.

Click Cancel.

Then click Already installed.

If you see a blue screen with CITRIX Receiver on it...things are looking good!

Next you should see the DoD Consent banner. Go ahead and click Accept.

If everything worked out, you should see a page with two shortcuts: AVHE Support and DHAGSC Remedy Phone number (This is the DHA Global Service Center (GSC) Helpdesk phone number).

This is your Favorites tab. You can see Favorites at the top middle of the page.

My page has Favorite apps already added in.

Next to Favorites is the Apps tab. Click on Apps to find your site-specific application shortcuts.

Type your MTF in the search box to filter the apps.

The site knows which AHLTA application to give you based on your MTF. The name may not match. For example, Langley users will see the Portsmouth AHLTA app when they type in Langley. That's because Langley AFB is on the same CHCS/AHLTA host as Portsmouth.

Click the Details button of the app you want to use or save.

Click the 'Add to Favorites' button to add this app to your Favorites tab.

Click the Open button to launch the app.

Click around. Have fun. You have just successfully set up AVHE at home.

connect to DHA Desktop | mac & pctop

Some users will have the DHA desktop available to them. This will depend on whether your MTF is using the DHA desktop and whether you have signed up for a CDP account. If you used to use VMWare, you might have a DHA Desktop account.

If you see a DESKTOPS button at the top of your AVHE page, then you DO have access. Click that button and you'll go to the DHA Desktop page.

From there, click on the DHA Desktop - [YOUR MTF HERE]. Click on the Desktop for the MTF you are accessing.

This Desktop will allow you to work on a desktop that looks just like your desktop at work. You can access all network applications (e.g. Synapse) and network shares (like your H: drive or any department/division drives). Since you're using regular Microsoft Outlook, you CAN send and receive encrypted e-mail.

connect to webmail | mac & pctop

Webmail allows you to read and send your Defense Enterprise E-mail (DEE) from home.

Mac Users - You cannot send/read encrypted e-mail or access your personal folders using webmail.
PC Users - You can read and send encrypted e-mail if you install the S/MIME extension. Unfortunately, I do not know how to do that. See Note 7-1 for more information.

Here is the link: https://web.mail.mil

Accept the DoD Consent Banner.

Use your DoD PIV certificate.

The rest is pretty straightforward.

troubleshooting | mac & pctop

There are a lot of things that can go wrong with the above process. Software will change frequently and the system can often get confused.

If you find that your system WAS working but now is NOT, think about anything that might have changed.

Did you:

Citrix Workspace For Mac High Sierra

  • Get a new CAC?
  • Get a new computer?
  • Download new software?
  • Update your computer software?

Any one of these might change your system.

The first step is to troubleshoot your CAC/reader combination. Try logging on to DTS or MyPay. If you can get in there, your problem is with AVHE. If you can't get in there, then the problem is with your CAC/reader combination. Reinstall your CAC enabler to see if that fixes things. (DO NOT reinstall/install a CAC enabler if you are on macOS 10.15 Catalina or later)

clear your keychain | mac

Sometimes, your computer gets confused with which CAC certificate it should present to the server. The easiest way to fix this problem is to delete the keychain preference. You should do this if you notice that you are having trouble logging on when things were working before and you didn't change any of the above things.

Open Keychain

Find any reference to web.mail, web-mail, or AVHE. Click on those entries and delete them.

Go back to WebMail or AVHE and try logging in again.

Remember to use your DOD ID CA-XX certificate.

Google Chrome bug | mac & pc

Some users report getting stuck on Google Chrome with a 'Your connection is not private' error. It looks like this:

If you can get into myPay, DFAS, NKO, etc and you still get this error in Google Chrome follow these steps:

  • Load https://avhe.health.mil and wait for the error message
  • MAKE SURE YOU ARE ON THE RIGHT WEBPAGE!! Following the steps below on the WRONG website could lead to a virus on your computer.
  • Click somewhere on the white part of the web page ONCE with the left mouse button
  • Type in 'thisisunsafe' (without the quotes, all lowercase, no spaces)
  • Seriously, type 'thisisunsafe' and then the page should load
  • If the page doesn't load then this is not your error and something else is going on. Consider reinstalling your certificates.

client auth error | mac & pc

Sometimes, after trying to connect multiple times from one browser session, you might get the following error page when going to the AVHE site.

This happens to me every now and then. I think your computer gets confused with the multiple connection attempts and just gives up.

The way I have found to fix this is to QUIT your browser. Don't just close your current window. Actually quit the program.

Mac Users - Click the name of your browser in the top left corner of your screen. Select Quit [browser name]. (e.g. Quit Google Chrome or Quit Safari)
PC Users - Click the red x in the top right corner of your browser window. If you are prompted, click the 'Close all tabs' button.

UNPLUG YOUR CAC READER FROM YOUR COMPUTER!! Yes, take the whole thing out. Unplug it.

Take your CAC out of your CAC reader.

Plug your reader back into your computer and place your CAC back in the reader.

Restart your browser and give it another shot. You may need to wait 5-10 seconds for everything to settle in before you launch the AVHE website.

white screen of death | mac & pc (I think)

Some people have been getting the White Screen of DEATH!

Basically, the web page just shows you a white screen in Chrome. I have only seen this in Macs but it makes sense that it might happen in Windows as well.

Citrix Workspace For Windows

If you can access DoD Webmail or myPay without trouble then you know your CAC -> CAC Reader -> Computer connection is working.

If you are getting the White Screen of DEATH then right click on the white page and select 'View Source.'

A new Chrome window will pop up with some webpage code in it.

If you see the text 'You are not allowed to login' then you need to contact the Global Service Center at dhagsc@mail.mil and tell them that you either 1) need a new AVHE account (because it's your first time using it) or 2) need them to reset your account because it is corrupted.

Once they create/reset the account, you can go back to https://avhe.health.mil and try it again.

pc certificate error | pc

PC users may see an error about the SSL certs not existing or being trusted or working.

If that happens, you need to install the DoD Certificates and run the FBCA Cross-Certificate Removal Tool.

REMOVE YOUR CAC FROM YOUR READER BEFORE ATTEMPTING THE THREE STEPS BELOW!

1. Go to this page at MilitaryCAC.com and scroll down to the section on InstallRoot (it's a small scroll).

Download the MilitaryCAC (.msi version) to your computer. Find the file. Double-click on it to run it.

Follow the prompts to install the DoD Certificates.

2. NEXT, you should run the FBCA Cross-Certificate Removal tool. This helps to clear up any certificate issues on your computer.

Go to this page and download the FBCA Cross-Certificate Remover tool. Run the program and follow the prompts.

3. Restart your computer and try again. You should be good to go.

thankstop

I hope you found this useful. If you have any comments or critiques, please send me an e-mail. I'm in the global.

Jacob Wessler
Lt Col, USAF

versionstop

I'll keep a running list of version changes here so you can come back and see what has changed if you find you are having problems.

version 3.3uploaded 17 JAN 21

PC SSl troubleshooting section added - FBCA Cross-Cert Removal Tool, Install Root

version 3.2uploaded 08 DEC 20

Added opening section on Mac vs PC. Also NEVER Chromebook.
Version 3.2 Archive

version 3.1uploaded 24 APR 20

Added comment to CITRIX Workspace App for PC users
Added info for new AVHE users
Added screenshots of the Detect Receiver process for AVHE
Added Troubleshooting section on the White Screen of DEATH
Added 'Jump to the top' links for all major blue sections
Version 3.1 Archive

version 3.0uploaded 09 APR 20

Added section on Gatekeeper and linked to it from other sections
Expanded section on DoD Certificates
Updated section on browsers
Added section on Microsoft Edge (pc only)
Added troubleshooting section on the client_auth_signature_failed error
Version 3.0 Archive

version 2.3uploaded 01 APR 20

Added section on Chrome vs. Safari (mac only)
Added screenshot of CITRIX Add Account and why we skip it
Added link to FBCA Cross Certificate Removal tool
Version 2.3 Archive

version 2.2uploaded 31 MAR 20

It's Catalina, not Cantalina...apparently! FIXED 5 errors.
New introduction with instructions for taking a screenshot
New Table of Contents
Refreshed CAC Enabler, CITRIX, and DoD Certificate sections
Google Chrome bug information added
Google Chrome bug screenshot added (Thanks MJD!!)
Version 2.2 Archive

version 2.1uploaded 21 MAR 20

Updated Table of Contents
Clarified CITRIX Workspace app vs CITRIX Receiver
Added info on the DHA Desktop
Expanded Troubleshooting section
Fixed spelling errors and one more CAC tautology (CRIMENY!)
Version 2.1 Archive

version 2.0uploaded 21 FEB 20

Refresh of all instructions
Reduced information as the process is simpler now
Added info on macOS 10.15 Catalina and later
Added DOD Certificates in Troubleshooting
Version 2.0 Archive

version 1.1uploaded 08 AUG 18

Updated URL
Updated screenshots
Added screenshots for Favorites
Fixed all instances of the 'CAC card' tautology (Ugh...)
Version 1.1 Archive

version 1.0uploaded 20 OCT 15

Website created
Version 1.0 Archive