With the rollout of Rendezvous (V2), admins leveraging Azure AD joined or non-domain joined workloads no longer have the requirement of deploying cloud connectors in these resource locations. This not only reduces the complexity but also reduces the time it takes to set up and initially deploy workloads.
In this article, I focus on the Non-Domain-joined (NDJ) use cases, with Workspace Environment Management (WEM) in conjunction with Rendezvous V2 Protocol. Deploying non-domain joined machines removes the ability for admins to apply domain-based policies and centrally manage machines. Workspace environment manager will allow admins to continue to manage these machines even when non-domain joined. RV2 eliminates the need for a Citrix Cloud Connector to send HDX traffic, Control traffic, and traffic for WEM.
The main reason for using a non-domain joined (NDJ) VDA is to reduce administrative overhead. Admins no longer need to manage user accounts, and still provide the ability to single sign-on securely to published applications and desktops. In the past, the configuration of NDJ machines and Citrix policies was time-consuming. This configuration is done prior to the creation of the catalog. This is because the image is not joined to a domain, policies need to be administered locally on the image. Updates to the Workspace Environment Manager now allows for the management of policies on demand to NDJ machines in a simple and easy solution.
When using NDJ VDAs the user account is “mapped” to a local account of the VDA through the Citrix Services during the VDA configuration installation. There is no need to map/create a local account at the time of image creation, this is done dynamically.
You can use any public cloud of choice to host your NDJ VMs such as Azure, GCP or AWS, I will be using Azure in this blog and Azure Active Directory as the authentication method, Note that Okta, or other IDPs are also supported, but I have not tested all scenarios to date.
High level configuration steps:
- Access has to be made via the subscriber function from Citrix Cloud Portal.
- Separate WEM installation media to the VDA
- Use Machine Catalog assignment to link to the WEM configuration set.
Requirements:
- VDA 2203 or later: Single-session (desktops only) or multi-session (apps and desktops) you can use Dedicated and pooled for the assignment type.
- Create VM in Azure (All platforms are supported by MCS, but for this blog, I will be using Azure).
- Create a blank Resource Location in Citrix Cloud Portal.
- Add a hosting connection to your Azure instance.
- Rendezvous V2 must be enabled.
- Using Azure Active Directory have users created to assign to Delivery Groups.
- Authentication method set to Azure Active Directory in Citrix Cloud. If you plan to provision machines on on-premises hypervisors or if you want to use Active Directory as the identity provider in Workspace you will need a cloud connector and authentication set to Active Directory.
Please note that all the above steps can be followed in a previous blog article created by my colleague Javier Lopez Santacruz: https://citrixie.wordpress.com/2022/06/06/citrix-modern-cloud-deployment-in-azure-pure-aad-mem-intune-and-non-domain-windows-10-11-desktop-connectorless-poc-configuration/
Stand-alone WEM agent version 2103.2.0.1 or later.
Limitations
Currently, the ability to perform administrative tasks (such as refreshing the cache, resetting settings, and retrieving agent information) through the administration console is not supported for non-domain-joined agents.
Remote PC not supported.
Service continuity is not supported.
Non Domain joined VDA and Rendezvous V2 Protocol
In Azure, prepare a master image that has a Citrix VDA 2206, screenshot below shows NDJ set up on Windows server 2019
Run the VDA installer as Administrator
Currently, MCS is the only provisioning method supported
Leave Defaults on Core Components, click “Next”
Untick all Additional Components unless specifically required for your use case, note that I am using the standalone WEM installer as there are additional settings to configure. Do not install the WEM agent with the VDA install. Click “Next”
For Delivery Controller Configuration make sure you tick “Let Machine Creation Services do it automatically”, click “Next”
Leave Defaults on Features, click “Next”
For firewall leave “Automatically” ticked, click “Next”
On Summary, click “Install”
As this is my lab environment I will be unticking Collect diagnostic Information, click “Next”
Restart and tick “Restart machine” – Click “Finish” to complete the installation of the VDA
Next, enable the Rendezvous V2 protocol to view more information about how this connectorless approach works you can read more on our official Rendezvous V2 product documentation website: https://docs.citrix.com/en-us/citrix-daas/hdx/rendezvous-protocol/rendezvous-v2.html
Create the following regkey:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent
Value type: DWORD
Value name: GctRegistration
Value data: 1
Next, we will install the WEM agent
You can download it from the Citrix cloud Portal inside WEM Utilities
Right Click “Run as Administrator”
Agree to the License Agreement, click “Install”
Click – “Next”
Click “Next”
It’s important at these next two steps that you select “Cloud Service Deployment” and “Skip Configuration”, Click “Next”
Leave defaults and Click “Next” on Advance Settings
Click “Install”
Click “Finish”
Click “Close”
Once installed go back over to your Citrix Cloud Tenant, we will now generate the API keys to allow the WEM agent to communicate with Citrix cloud.
In the Citrix Cloud portal go to Identity and Access Management
In the Identity and Access Management Window, give it a name and click “Create Client”
Download the ID and Secret, it will need to be accessible from the VDA. Click “Close”
Open PowerShell as an admin on your VDA and run the following command:
Citrix.Wem.Agent.EnrollmentUtility.exe enroll –customer “dcinte5476c2” –clientid “66eb89c0-33fc-4884-9754-676e93cbcb63” –clientsecret “” –authurl “api-us.cloud.com” –url “api.wem.cloud.com”
List as follows for authentication URLs:
Base URLs and authentication URLs vary from region to region, select the appropriate region based on your Citrix cloud tenant location.
United States (US): api.us.cloud.com
European Union (EU): api.eu.cloud.com
Japan(JP): api.jp.cloud.com
Asia Pacific South (APS): api.aps.cloud.com
List as follows for base URLs:
- United States (US): api.wem.cloud.com
- European Union (EU): eu-api.wem.cloud.com
- Japan(JP): jp-api.wem.citrixcloud.jp
- Asia Pacific South (APS): aps-api.wem.cloud.com
For more information, see Get started with Citrix Cloud APIs & Enroll Agents.
You will see the below:
You have now opened the api.wem.cloud.com this will allow the WEM agent on the NDJ machine to communicate with the WEM infrastructure service in Citrix Cloud which is allowing the Citrix Azure SQL Database back end Service and Citrix Cloud WEM Administration Console Access. All communication is done via HTTPS using the Citrix Cloud Messaging service.
You can now go back over to your Citrix cloud portal and open the Workspace Environment Management console click on the new Web Console view for WEM and then click – Directory Objects and finally click – Add object.
Click on the drop-down and select “Non-domain-Joined-machines” drop-down
Select your machine, mine is Tonyva-NDJ-WEM once selected you can then drop down the “bind objects to this configuration set” and select on your configuration set.
Review Directory Objects to confirm configurations:
You can now shut down the VM and then inside your Citrix cloud console go to Citrix DaaS.
Once in the Citrix DaaS go to machine Catalogs and click – Create Machine Catalog
Use Machine Catalog assignment to link to the WEM configuration set.
Select Machine type and click – Next
Select your hosting connection and click “Next”
Select your Master image
Select the VM
Chose your Storage and License Types, click “Next”
Select your machine size(s), click “Next”
Select your Associated Network, click “Next”
Disk Settings can be left as default, click “Next”
Select your blank resource group and click “Next”
Select Non-domain-joined and name your machine, click “Next”
Leave the defaults, click “Next”
Select your WEM Configuration Set that will be bound to the Machine Catalog, Click “Next”
Name your machine catalog and click, “Finish”
Once finished create a Delivery Group, click “Next”
Select your machine catalog, click “Next”
Leave the management to Citrix Cloud, click “Next”
For the demo, we will be not selecting apps, click “Next”
For scopes leave defaults click “Next”
Leave default license and click “Next”
Name your Delivery Group and click, “Finish”
Once done go over to the Library in Citrix Cloud
Click on, “Manage Subscribers”
Select your domain in Azure and your Azure AD users
Create the studio policy to use the Rendezvous Protocol – I have the policy assigned to all objects on the site.
Now the configuration is complete. Login to your Citrix Store and launch the Non-Domain joined desktop. The video below demonstrates the end user experience for the end user and the confirms the applied configuration
Takeaways
In this blog I have configured NDJ, and WEM within a connectionless environment. This new capability removes the complexity of joining machines to a domain and installing cloud connectors while allowing you to apply WEM policies.
Useful Links:
https://docs.citrix.com/en-us/citrix-daas/install-configure/azure-joined-ndj-vda-configuration.html
citrixie.wordpress.com 
Excellent write up! FYI, there is another Enroll mode -by invitations for NDJ machines. And it would be even greater if we could add NDJ user profiles, which has been supported.
LikeLike