Skip to main content
MacStadium VDI is a shared responsibility model. MacStadium manages the infrastructure layer; you manage the orchestration, user access, and application layer. Where you’ve engaged a Citrix Service Provider (CSP), some customer responsibilities may transfer to that partner. This guide defines responsibilities across all three deployment models:
  • MSDC-Hosted: MacStadium manages the Mac hardware and data center infrastructure.
  • Self-Hosted (On-Prem): You manage your own hardware, on your premises.
  • Self-Hosted (AWS): You manage Mac hardware on AWS (via EC2 Mac instances or a colocation partner).

Responsibility matrix

SymbolMeaning
MSMacStadium
CustomerYou (or your Citrix Service Provider, where noted)
SharedBoth parties have responsibilities in this area
AreaMSDC-HostedSelf-Hosted (On-Prem)Self-Hosted (AWS)
Physical hardware provisioningMSCustomerCustomer
Data center facilities (power, cooling, physical security)MSCustomerCustomer / AWS
macOS installation on hostsMSCustomerCustomer
Network infrastructure (switches, uplinks, VLANs)MSCustomerCustomer / AWS
VPN connectivity to infrastructureSharedCustomerCustomer
Static IP assignment and DHCPMSCustomerCustomer
Orka Engine installation and licensingSharedCustomerCustomer
Orka Engine upgradesSharedCustomerCustomer
Ansible controller setup and maintenanceCustomerCustomerCustomer
Orchestration playbook configurationCustomerCustomerCustomer
Management UI (Semaphore) setupCustomerCustomerCustomer
Golden image creation and maintenanceCustomerCustomerCustomer
VM deployment and lifecycleCustomerCustomerCustomer
Citrix VDA installation and registrationCustomerCustomerCustomer
Citrix Cloud account and licensingCustomerCustomerCustomer
Delivery group and policy configurationCustomerCustomerCustomer
End-user access and entitlementsCustomerCustomerCustomer
MDM enrollment (hosts)SharedCustomerCustomer
MDM enrollment (VMs)CustomerCustomerCustomer
Hardware replacementMSCustomerCustomer / AWS
Remote hands (KVM, hard reset, disk reimaging)MSCustomerCustomer
Host OS updates (macOS)CustomerCustomerCustomer
Security patching (VMs and golden images)CustomerCustomerCustomer
SSH key rotationCustomerCustomerCustomer
Audit logging and complianceSharedCustomerCustomer
Capacity planningSharedCustomerCustomer

Detail by area

Infrastructure

MSDC-Hosted: MacStadium owns and operates the data center, network, and Mac hardware. Your fleet is provisioned and networked before you receive access. MacStadium handles hardware failures, drive reimaging, and physical support through its Data Center Technician (DCT) team. Self-Hosted: You own and operate all hardware and facilities. MacStadium provides software (Orka Engine) and support, but has no visibility into or control over your infrastructure.

Orka Engine

MacStadium provides the Orka Engine license key, installer URL, and version updates. You run the install_engine.yml playbook to install and upgrade Orka Engine on your hosts. For MSDC-Hosted deployments, MacStadium can assist with installation if needed. Contact support@macstadium.com for help.

Orchestration and VM management

You are responsible for the orchestration layer across all deployment models. This includes:
  • The Ansible controller machine
  • The orka-engine-orchestration repository configuration (inventory, group vars, playbooks)
  • The management UI
  • All VM deployments, image management, and lifecycle operations

Citrix integration

You are responsible for your Citrix Cloud account, licensing, VDA installation, machine catalog setup, delivery groups, and policies. MacStadium does not have access to your Citrix environment.
If you’re working with a Citrix Service Provider (CSP), your CSP typically manages the Citrix layer on your behalf, including VDA installation, SSO setup, HDX policy tuning, and session troubleshooting. MacStadium currently partners with Whitehat Virtual for CSP services. Confirm the scope of your CSP’s responsibilities before deployment. MacStadium’s support boundary ends at the infrastructure layer regardless of whether you use a CSP.

MDM enrollment

Mac hosts support via Apple Business Manager (ABM). MacStadium can assist with host enrollment for MSDC-Hosted customers. macOS VMs cannot be registered with ABM directly. MacStadium provides scripts and guidance for automated user-driven MDM enrollment instead. Supported MDM tools include Jamf, Kandji, and Intune. See Apple Business Manager and MDM with MacStadium for details.

Security and compliance

Both MacStadium and you share responsibility for security:
  • MacStadium: Physical security, data center access controls, network infrastructure security (MSDC-Hosted), hardware-level audit logs.
  • You: SSH key management, VM and image security patching, Citrix policy configuration, application-level access controls, and compliance with your organization’s regulatory requirements (GDPR, HIPAA, SOC 2, etc.).
For MSDC-Hosted customers, MacStadium can provide data center compliance documentation on request. Contact your account representative.

Support boundaries

IssueWho to contact
Hardware failure (MSDC-Hosted)MacStadium Support
Network connectivity to MSDC infrastructureMacStadium Support
Orka Engine errors or crashesMacStadium Support
Orchestration playbook issuesMacStadium Support or GitHub
Citrix VDA registration or session issuesYour Citrix administrator or CSP
Citrix Cloud account or licensingCitrix Support
End-user application issuesYour IT team or CSP
MDM configurationYour MDM administrator or CSP
When contacting MacStadium Support, include your account ID, affected host IPs or VM names, a description of the issue, and any relevant log excerpts.