Skip to main content

Overview

These are recommended best practices for deploying Citrix HDX and HP Anyware PCoIP on MacStadium infrastructure. This document provides generalized guidance on MDM enrollment, permissions, networking, and performance tuning.

Security and Encryption

Disable FileVault unless your security policy requires it. If a machine with FileVault enabled powers down, a MacStadium Data Center Technician must intervene locally before it can be accessed remotely. If encryption is required, coordinate with MacStadium to set up secure restart scripts that automate reboots and recovery before enabling it. Note: If your organization requires the use of FileVault, it is highly recommend that macOS Tahoe is used on your host devices. Apple released a pre-boot SSH capability in Tahoe that allows for remote disk decryption as an alternative to physical DCT intervention. FileVault is not officially supported by MacStadium. Use an MDM solution (Jamf Pro, Kandji, or Intune) to enforce your security baseline. See MDM Policies and Permissions for VDI-specific configuration.

MDM Enrollment for VMs

Apple Business Manager (ABM) Automated Device Enrollment is not available for virtual machines. Apple identifies VM hardware identifiers as virtual and blocks auto-enrollment. This cannot be worked around. The standard approach is user-initiated enrollment scripted into your golden image. A LaunchDaemon runs at first boot to install the management framework. A LaunchAgent runs at login to prompt the user to approve the MDM profile. That approval is a macOS requirement on unsupervised devices. MacStadium’s tested and supported enrollment process for VMs at scale uses Jamf Pro. For a full walkthrough, see Jamf Enrollment for MacStadium VDI Desktops. The LaunchDaemon/LaunchAgent pattern is the same for Intune and Kandji, but MacStadium is still validating and developing optimized guidance for those platforms. A few things to get right before sealing the image:
  • Set enrollment tokens to expire on a schedule aligned to your image rotation cycle.
  • Verify enrollment on a test VM before promoting to production: profiles status -type enrollment should return MDM enrollment: Yes.
  • Do not seal the image with an MDM profile or management framework already present.
For image build and versioning guidance, see VDI Golden Image Management.

MDM Policies and Permissions

Configure and test these before sealing your golden image. Some permissions cannot be pre-approved via MDM, so they need to be granted manually on a clean VM before the image is sealed.

Privacy Preferences (PPPC / TCC)

PermissionCitrix HDXHP Anyware PCoIPMDM pre-approvable?
AccessibilityRequiredRequiredYes
Screen RecordingRequiredRequiredNo (grant manually before sealing)
MicrophoneOptional (audio redirect)OptionalNo (user-controlled)
CameraOptional (webcam redirect)OptionalNo (user-controlled)
Bundle IDs for PPPC profiles:
ApplicationBundle IDTeam ID
Citrix Workspace / VDAcom.citrix.ctxismS272Y5R93J
HP Anyware Clientcom.teradici.swiftclientNot published by HP
HP Anyware User Agentcom.teradici.pcoip-user-agentNot published by HP
HP does not document Team ID information for HP Anyware. To generate a code requirement string for use in a PPPC payload, run this against the installed host agent: 
# Locate the agent
mdfind "kMDItemCFBundleIdentifier == 'com.teradici.pcoip-user-agent'"

# Generate the code requirement string
codesign -dr - /path/to/PCoIPAgent.app
Paste the designated => line from the output into the Code Requirement field of your MDM’s PPPC payload.

System Extensions (Citrix only)

Citrix VDA installs system extensions for camera and USB redirection. Pre-approve these to prevent user-facing prompts.
ExtensionBundle IDTypeTeam ID
Camera extensioncom.citrix.mvda.vdacfg.cameraextensionSystem extensionS272Y5R93J
USB redirectioncom.citrix.kext.gusbKernel extensionS272Y5R93J
On macOS 15 (Sequoia), admin users can remove system extensions via System Settings. Jamf Pro 11.9.1+ and Kandji 3.x both support marking extensions as non-removable. Citrix also installs background services under /Library/LaunchAgents and /Library/LaunchDaemons. On Ventura and later, users see a “Background Items Added” notification on first login. This is expected. Do not suppress or disable these services.

MDM Platform Notes

PlatformPPPCSystem ExtensionsNotes
Jamf ProPrivacy Preferences Policy Control payloadSystem Extensions payload (Team ID S272Y5R93J)MacStadium’s tested and supported platform for VM enrollment at scale. For HP Anyware, generate the code requirement string with codesign -dr - and paste it manually. See the Jamf Enrollment guide.
Microsoft IntuneCustom Configuration Profile (macOS XML)Endpoint Security > macOS System ExtensionsDeploy HP Anyware or Citrix Workspace as a macOS DMG app via the Apps blade. Optimized VM enrollment guidance for Intune is in development.
KandjiPrivacy Preferences Library ItemSystem Extensions Library Item (Team ID S272Y5R93J)3.x supports non-removable extensions on macOS 15. Optimized VM enrollment guidance for Kandji is in development.

Networking and Connectivity

Disable packet inspection and SSL interception on VDI session traffic. Both HDX and PCoIP are sensitive to latency added by middleboxes. Route sessions as directly as possible and avoid unnecessary proxy hops. Required ports:
ProtocolCitrix HDXHP Anyware PCoIP
Primary sessionTCP/UDP 1494, 2598UDP 4172
Session fallbackTCP 4172
Broker / licensingTCP 443TCP 443, 60443
EDT (performance)UDP 1494, 2598
Enable EDT (UDP 1494/2598) for Citrix where possible. It provides noticeably better performance over variable-quality connections compared to TCP-only transport. Bandwidth planning per concurrent user:
Workload typeRecommended
General productivity / coding2-3 Mbps
Design / graphics5-10 Mbps
Video editing / high-performance15-25 Mbps
Maintain a secondary administrative access path (VNC or MacStadium remote console) independent of your VDI session for recovery scenarios.

Performance Tuning

macOS Settings (both protocols)

Disable desktop animations and transparency effects before sealing your image: System Settings > Accessibility > Display > Reduce Motion and Reduce Transparency. Disable screen saver, hot corners, and idle timers: 
sudo pmset -a sleep 0 disksleep 0 displaysleep 0
MacStadium hosts use wired Ethernet. If any nodes in your cluster are on Wi-Fi, disable Wi-Fi power saving to prevent the NIC from dropping into a low-power state during active sessions.

Protocol-Specific Tuning

SettingCitrix HDXHP Anyware PCoIP
Transport tuningEDT settings, H.264/H.265 codec selection, audio quality profiles (see Citrix Workspace App for Mac docspcoip.max_link_rate, image quality, frame rate — configured via plist (see below)
Config locationCitrix Workspace settings/Library/Preferences/com.teradici.pcoip-agent.plist
Applies toVDAGraphics Agent and Standard Agent
HP Anyware plist directives (set before sealing, or push via MDM config profile): 
# Bandwidth ceiling in kbps (default: 900000 — effectively uncapped)
sudo defaults write /Library/Preferences/com.teradici.pcoip-agent pcoip.max_link_rate -int 25000

# Image quality floor/ceiling, 0-100 (defaults: 40 / 80)
sudo defaults write /Library/Preferences/com.teradici.pcoip-agent pcoip.minimum_image_quality -int 40
sudo defaults write /Library/Preferences/com.teradici.pcoip-agent pcoip.maximum_initial_image_quality -int 80

# Frame rate ceiling in fps (default: 30)
sudo defaults write /Library/Preferences/com.teradici.pcoip-agent pcoip.maximum_frame_rate -int 30

# Audio bandwidth ceiling in kbps (default: 512)
sudo defaults write /Library/Preferences/com.teradici.pcoip-agent pcoip.audio_bandwidth_limit -int 256

# MTU size in bytes (default: 1200)
sudo defaults write /Library/Preferences/com.teradici.pcoip-agent pcoip.mtu_size -int 1200

# Build-to-lossless: 0 = off (default), 1 = on
# Sharpens to pixel-perfect during idle; useful for design review, increases bandwidth
sudo defaults write /Library/Preferences/com.teradici.pcoip-agent pcoip.enable_build_to_lossless -int 0
Changes take effect after the PCoIP agent service restarts or the VM reboots.

Management and Policy

Define MDM policies before sealing your golden image. A baseline for Orka VDI:
CategoryPolicies
Must be enabledRemote management, System Integrity Protection, disable end-user restart and shutdown
Should be enabledPassword complexity, software firewall, Gatekeeper, software update enforcement
AvoidUser lockout policies requiring local physical recovery; FileVault without a MacStadium-coordinated recovery plan
Do not apply aggressive idle timeout or auto-sleep policies that conflict with active session stability. See VDI Golden Image Management for incorporating MDM configuration into your image build pipeline.

Backup and Recovery

Keep machines in an always-on or wake-on-network state. Maintain a secondary administrative connection (VNC or MacStadium secure console) that does not depend on your VDI session. Enable Time Machine or equivalent backup on a schedule that meets your retention requirements. VDI sessions are not a substitute for enterprise backup.

Quick Reference

Citrix HDXHP Anyware PCoIP
Session portsTCP/UDP 1494, 2598; TCP 443UDP/TCP 4172; TCP 443, 60443
Main bundle IDcom.citrix.ctxismcom.teradici.swiftclient
System extensionsCamera kext, USB kextNone
Accessibility (MDM)Pre-approvablePre-approvable
Screen Recording (MDM)Grant manually before sealingGrant manually before sealing
MDM enrollmentUser-initiated onlyUser-initiated only
Agent variantsVDAGraphics Agent, Standard Agent
Agent configCitrix Workspace settings/Library/Preferences/com.teradici.pcoip-agent.plist
Related: