Citrix workspace fails to detect USB devices

Hello,

I’ve been using Garuda for about 9 months now and I love it. And this may not even be Garuda-specific, but I don’t really know where to start… My employer is rather Windows focused and doesn’t actively support Linux, so I’m trying to bridge the gap.

I’m trying to set up a Citrix workspace connection for remote work on my Garuda PC which needs to works in conjunction with a YubiKey. I’ve installed icaclient and yubico-authenticator-bin and both seem to work.

I can see the YubiKey in lsusb and the details are shown in the YubiKey manager. I can also start the Citrix workspace, log in using username and password, and start a desktop session which seems to work just fine.

However, the session lists no USB devices whatsoever.
That also means I cannot use the YubiKey within the session.

Searching on the internet led me to /opt/Citrix/ICAClient/usb/usb.conf. For testing, I’ve added the YubiKey as an autoconnect device, basically allowed everything else as well, and rebooted just be sure, but it did not change anything.

I also went through the Citrix documentation (Troubleshooting), but it also only brought me to the file above. Other than this file, internet search did not yield any plausible results. There are some bugs being discussed on the arch repository regarding icaclient but not related to my issue.

Maybe someone with a little more Linux experience has an idea?

Thank you.

LSUSB

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 046d:0a6d Logitech, Inc. G433 Gaming Headset
Bus 001 Device 004: ID 048d:5702 Integrated Technology Express, Inc. RGB LED Cont
roller
Bus 001 Device 005: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 002: ID 0bda:5409 Realtek Semiconductor Corp. USB2.1 Hub
Bus 005 Device 003: ID 187c:100e Alienware Corporation HID Device
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 006 Device 002: ID 0bda:0409 Realtek Semiconductor Corp. USB3.2 Hub
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 007 Device 003: ID 046a:0180 CHERRY Strait 3.0
Bus 007 Device 004: ID 1532:0084 Razer USA, Ltd RZ01-0321 Gaming Mouse [DeathAdde
r V2]
Bus 008 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

/opt/Citrix/ICAClient/usb/usb.conf

CONNECT: vid=1188 pid=A101  # Bloomberg 5 Biometric module
DENY: vid=1188 pid=A001 split=01 intf=00  # Bloomberg 5 Primary keyboard
CONNECT: vid=1188 pid=A001 split=01 intf=01  # Bloomberg 5 Keyboard HID
DENY: vid=1188 pid=A301 split=01 intf=02  # Bloomberg 5 Keyboard Audio Channel
CONNECT: vid=1188 pid=A301 split=01 intf=00,01  # Bloomberg 5 Keyboard Audio HID

CONNECT: vid=1188 pid=9545 split=01 intf=01 # Bloomberg 4 Keyboard HID
CONNECT: vid=1188 pid=9545 split=01 intf=02 # Bloomberg 4 HID
DENY: vid=1188 pid=9545 split=01 intf=03 # Bloomberg 4 Keyboard Audio Channel
DENY: vid=1188 pid=9545 split=01 intf=04 # Bloomberg 4 Keyboard Audio Channel
DENY: vid=1188 pid=9545 split=01 intf=05 # Bloomberg 4 Keyboard Audio Channel

CONNECT: vid=0554 pid=1001 split=01 intf=03 # Nuance Microphone
DENY: vid=0554 pid=1001 split=01 intf=00,01,02 # Nuance Microphone
DENY: vid=df04 pid=0004 # Nuance Mouse

CONNECT: vid=1050 pid=0407 # YubiKey

ALLOW:  class=01 # Audio
ALLOW:  class=02 # Communications and CDC-Control
ALLOW:  class=09 # Hub devices
ALLOW:  class=03 subclass=01 prot=01 # HID Boot keyboards
ALLOW:  class=03 subclass=01 prot=02 # HID Boot mice
ALLOW:  class=0a # CDC-Data
ALLOW:  class=0b # Smartcard
ALLOW:  class=0e # UVC (default via HDX RealTime Webcam Video Compression)
ALLOW:  class=e0 # Wireless controller

garuda-inxi

System:
Kernel: 6.13.7-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 14.2.1
clocksource: tsc avail: hpet,acpi_pm
parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen
root=UUID=cf6e7ed9-45b6-441e-bdba-41ab5af16cbb rw rootflags=subvol=@
quiet resume=UUID=ed44be8f-b433-49ac-818f-7c0c0cb666be loglevel=3 ibt=off
Desktop: KDE Plasma v: 6.3.3 tk: Qt v: N/A info: frameworks v: 6.12.0
wm: kwin_wayland vt: 1 dm: SDDM Distro: Garuda base: Arch Linux
Machine:
Type: Desktop Mobo: Gigabyte model: B650 GAMING X AX V2 v: x.x
serial: <superuser required> uuid: <superuser required> UEFI: American
Megatrends LLC. v: F33a date: 02/07/2025
CPU:
Info: model: AMD Ryzen 7 7800X3D bits: 64 type: MT MCP arch: Zen 4 gen: 4
level: v4 note: check built: 2022+ process: TSMC n5 (5nm) family: 0x19 (25)
model-id: 0x61 (97) stepping: 2 microcode: 0xA60120C
Topology: cpus: 1x dies: 1 clusters: 1 cores: 8 threads: 16 tpc: 2
smt: enabled cache: L1: 512 KiB desc: d-8x32 KiB; i-8x32 KiB L2: 8 MiB
desc: 8x1024 KiB L3: 96 MiB desc: 1x96 MiB
Speed (MHz): avg: 2982 min/max: 545/5050 boost: enabled scaling:
driver: amd-pstate-epp governor: powersave cores: 1: 2982 2: 2982 3: 2982
4: 2982 5: 2982 6: 2982 7: 2982 8: 2982 9: 2982 10: 2982 11: 2982 12: 2982
13: 2982 14: 2982 15: 2982 16: 2982 bogomips: 134139
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Vulnerabilities: <filter>
Graphics:
Device-1: NVIDIA AD104 [GeForce RTX 4070 SUPER] vendor: Micro-Star MSI
driver: nvidia v: 570.124.04 alternate: nouveau,nvidia_drm
non-free: 550/565.xx+ status: current (as of 2025-01) arch: Lovelace
code: AD1xx process: TSMC n4 (5nm) built: 2022+ pcie: gen: 4
speed: 16 GT/s lanes: 16 ports: active: none off: DP-2
empty: DP-1,DP-3,HDMI-A-1 bus-ID: 01:00.0 chip-ID: 10de:2783
class-ID: 0300
Display: wayland server: X.org v: 1.21.1.16 with: Xwayland v: 24.1.6
compositor: kwin_wayland driver: X: loaded: nvidia unloaded: modesetting
alternate: fbdev,nouveau,nv,vesa gpu: nvidia,nvidia-nvswitch display-ID: 0
Monitor-1: DP-2 model: Dell AW3423DWF serial: <filter> built: 2023 res:
mode: 3440x1440 hz: 165 scale: 125% (1.25) to: 2752x1152 dpi: 109 gamma: 1.2
size: 800x337mm (31.5x13.27") diag: 868mm (34.2") modes: max: 3440x1440
min: 640x480
API: EGL v: 1.5 hw: drv: nvidia platforms: device: 0 drv: nvidia gbm:
drv: nvidia surfaceless: drv: nvidia wayland: drv: nvidia x11: drv: nvidia
API: OpenGL v: 4.6.0 vendor: nvidia v: 570.124.04 glx-v: 1.4
direct-render: yes renderer: NVIDIA GeForce RTX 4070 SUPER/PCIe/SSE2
memory: 11.71 GiB display-ID: :1.0
API: Vulkan v: 1.4.304 layers: 6 device: 0 type: discrete-gpu name: NVIDIA
GeForce RTX 4070 SUPER driver: N/A device-ID: 10de:2783
surfaces: xcb,xlib,wayland
Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
de: kscreen-console,kscreen-doctor gpu: nvidia-settings,nvidia-smi
wl: wayland-info x11: xdpyinfo, xprop, xrandr
Audio:
Device-1: NVIDIA AD104 High Definition Audio vendor: Micro-Star MSI
driver: snd_hda_intel v: kernel pcie: gen: 4 speed: 16 GT/s lanes: 16
bus-ID: 01:00.1 chip-ID: 10de:22bc class-ID: 0403
Device-2: Advanced Micro Devices [AMD] Family 17h/19h/1ah HD Audio
vendor: Gigabyte driver: snd_hda_intel v: kernel pcie: gen: 4 speed: 16 GT/s
lanes: 16 bus-ID: 10:00.6 chip-ID: 1022:15e3 class-ID: 0403
Device-3: Logitech G433 Gaming Headset
driver: hid-generic,snd-usb-audio,usbhid type: USB rev: 2.0 speed: 12 Mb/s
lanes: 1 mode: 1.1 bus-ID: 1-5:3 chip-ID: 046d:0a6d class-ID: 0300
serial: <filter>
API: ALSA v: k6.13.7-zen1-1-zen status: kernel-api tools: N/A
Server-1: PipeWire v: 1.4.1 status: active with: 1: pipewire-pulse
status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
Device-1: Realtek RTL8125 2.5GbE vendor: Gigabyte driver: r8169 v: kernel
pcie: gen: 2 speed: 5 GT/s lanes: 1 port: e000 bus-ID: 07:00.0
chip-ID: 10ec:8125 class-ID: 0200
IF: enp7s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Info: services: NetworkManager,systemd-timesyncd
Drives:
Local Storage: total: 4.55 TiB used: 137.89 GiB (3.0%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/nvme0n1 maj-min: 259:5 vendor: Fanxiang model: S690Q 2TB
size: 1.82 TiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s
lanes: 4 tech: SSD serial: <filter> fw-rev: VF001C30 temp: 44.9 C
scheme: GPT
ID-2: /dev/nvme1n1 maj-min: 259:0 vendor: Samsung
model: SSD 970 EVO Plus 2TB size: 1.82 TiB block-size: physical: 512 B
logical: 512 B speed: 31.6 Gb/s lanes: 4 tech: SSD serial: <filter>
fw-rev: 2B2QEXM7 temp: 47.9 C scheme: GPT
ID-3: /dev/sda maj-min: 8:0 vendor: Samsung model: SSD 850 EVO 1TB
size: 931.51 GiB block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s
tech: SSD serial: <filter> fw-rev: 1B6Q scheme: MBR
Partition:
ID-1: / raw-size: 1.79 TiB size: 1.79 TiB (100.00%) used: 137.89 GiB (7.5%)
fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:7
ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
used: 608 KiB (0.2%) fs: vfat dev: /dev/nvme0n1p1 maj-min: 259:6
ID-3: /home raw-size: 1.79 TiB size: 1.79 TiB (100.00%)
used: 137.89 GiB (7.5%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:7
ID-4: /var/log raw-size: 1.79 TiB size: 1.79 TiB (100.00%)
used: 137.89 GiB (7.5%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:7
ID-5: /var/tmp raw-size: 1.79 TiB size: 1.79 TiB (100.00%)
used: 137.89 GiB (7.5%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:7
Swap:
Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
ID-1: swap-1 type: zram size: 30.95 GiB used: 0 KiB (0.0%) priority: 100
comp: zstd avail: lzo-rle,lzo,lz4,lz4hc,deflate,842 max-streams: 16
dev: /dev/zram0
ID-2: swap-2 type: partition size: 34.05 GiB used: 0 KiB (0.0%)
priority: -2 dev: /dev/nvme0n1p3 maj-min: 259:8
Sensors:
System Temperatures: cpu: 49.0 C mobo: 35.0 C
Fan Speeds (rpm): N/A
Info:
Memory: total: 32 GiB note: est. available: 30.95 GiB used: 4.73 GiB (15.3%)
Processes: 350 Power: uptime: 17m states: freeze,mem,disk suspend: deep
avail: s2idle wakeups: 0 hibernate: platform avail: shutdown, reboot,
suspend, test_resume image: 12.32 GiB services: org_kde_powerdevil,
power-profiles-daemon, upowerd Init: systemd v: 257 default: graphical
tool: systemctl
Packages: pm: pacman pkgs: 1430 libs: 438 tools: octopi,paru Compilers:
gcc: 14.2.1 Shell: garuda-inxi default: fish v: 4.0.1 running-in: konsole
inxi: 3.3.37
Garuda (2.7.2-1):
System install date:     2025-03-14
Last full system update: 2025-03-22
Is partially upgraded:   No
Relevant software:       snapper NetworkManager dracut nvidia-dkms
Windows dual boot:       Probably (Run as root to verify)
Failed units:            garuda-update.service

Hi

i dont have experiences with it but on my testing i can add usb drives in the Citrix Workspace Preferences → File Access → ADD

Users can plug USB devices into their computers and the devices are redirected to their virtual desktop after enabling auto-redirection. You can enable auto-redirection manually through configuration file settings. Auto-redirection of USB devices is disabled by default.

did you see this class ?

Content Security (Class 0d)

Content security devices enforce content protection, typically for licensing or digital rights management. This class includes dongles.

or read on other websites

devices is disabled by default. To configure the auto-redirection of USB devices, do the following:

    Navigate to the $Home/.ICAClient/wfclient.ini configuration file.

    Add the following entry:

    DesktopApplianceMode=True

Thanks for looking into this. In my research, I’ve come across wfcclient.ini as well as some others. I’ve actually allowed all devices at some point for testing. However, the problem is that they are not even recognized. In the toolbar of the session, I should be able to view the list of devices and choose which ones to forward to the session. This could be restricted or automated using the configuration file. However, in my case, no devices even show up. None, so this is not specific to YubiKey, but rather a problem with USB redirection in general.

I’ve also checked ctxusbd.service (in great depth, actually) and concluded that is in fact running, despite some oddities in how it is installed. With debugging flags set in the icaclient configuration I can see the service logging init and shutdown messages when connecting to a session. I does not, however, log any errors or devices.

There is something wrong with the GenericUSB redirection module. It could be related to the fact that Citrix does not offer an Arch build and the package in AUR seems to be the Debian version with some adjustments. Going through almost all the comments on AUR, I’ve found several stating that USB redirection is not working. There are branches of the icaclient package that claim to fix this and I tried to copy their adjustments to my system, but without success.

After spending several hours on this last weekend I believe a have decent grasp of both the icaclient package (including its installer and all config files) as well as the ctxusbd.service, but I don’t see why it would not recognize any device and not log any errors either. Unfortunately, I understand too little about how USB redirection works in general, let alone Linux, to dive any deeper into this. Maybe there are some dependencies that are not met by Arch? Or a permission issue? Or maybe the service should be running on a lower level (init) than it does in this setup?

I finally got it working!

The icaclient package in AUR is broken. Citrix does not publish an Arch version and the package seems to be missing necessary adjustments for USB support. Someone posted a patch for it (GitHub - itsjfx/aur-icaclient) but it was never merged. They updated the package today to version 25 but failed to include the patch, again.

I went through the install script in the patch and made the necessary adjustments manually. I had actually tried that before, along with countless other things, but missed the chmod parameters on the copy commands. Turns out they were there for a reason.

So this is what is necessary to get USB support to work on Arch/Garuda:

1. Install icaclient with necessary dependencies.
2. Go to $ICAROOT a.k.a. /opt/Citrix/ICAClient/
3. Copy the following files from ./usb to ./ and run chmod on them:
   VDGUSB.DLL
   ctx_usb_isactive
   ctxusbd → chmod 500
   usb.conf → chmod 444
   ctxusb → chmod 4555
4. Edit ./config/module.ini:
   In line VirtualDriver= add GenericUSB at the end
   In section [ICA 3.0] add entry GenericUSB=on
   At the end of the file add [GenericUSB] with entry DriverName = VDGUSB.DLL
5. Edit ./usb.conf: Change DENY to ALLOW on the USB devices/types you need – or replace the entire file content with ALLOW: if you’re frustrated enough.
6. Edit /usr/lib/systemd/system/ctxusbd.service:
   Update ExecStart to ExecStart=/opt/Citrix/ICAClient/ctxusbd
7. Make sure the update to the service is applied, for example by overkilling it with:
   sudo systemctl disable ctxusbd
sudo systemctl enable --now ctxusbd
reboot

Within the Citrix session, bring up the menu and go to Preferences → Devices. Then plugin the device and click Refresh. If everything works, the device should now show up and you can check the box to redirect it to the session.

image808×611 44.7 KB

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.