Owner: Desktop Engineering · Platform: Citrix DaaS (Cloud) · Review Cycle: 6 months
Virtual desktop infrastructure is delivered via Citrix DaaS (Desktop as a Service), hosted on Citrix Cloud with session hosts running on the on-premises VMware vSphere cluster. This hybrid model provides centralised control via Citrix Cloud while keeping sensitive data and compute on-premises.
VDI is the standard compute model for:
User Device (Thin Client / PC / Tablet)
│
│ Citrix Workspace App
▼
Citrix Cloud (Gateway Service — global PoP)
│ Encrypted ICA session
▼
Citrix Cloud Connector (DC1 / DC2 — pair each)
│
▼
Citrix Delivery Controller (Cloud-managed)
│
├── Virtual Apps (Published Applications)
│ Session Hosts on vSphere (Windows Server 2022)
│
└── Virtual Desktops (Non-Persistent VDI)
MCS Desktops on vSphere (Windows 11 Enterprise)
| Delivery Group | Type | Session Host OS | Users | Notes |
|---|---|---|---|---|
DG-Operations |
Non-persistent desktop | Windows 11 | Task workers | Standard business apps |
DG-Finance |
Non-persistent desktop | Windows 11 | Finance team | SAP GUI, Excel Add-ins |
DG-Contractors |
Non-persistent desktop | Windows 11 | Contractors | Restricted policy |
DG-PCI |
Non-persistent desktop | Windows 11 | PCI in-scope | Network-isolated, no internet |
DG-PublishedApps |
Published app | Windows Server 2022 | All users | Legacy and specialist apps |
| Parameter | Value |
|---|---|
| Master Image | tmpl-win11-citrix-v26.04 (monthly updated) |
| Provisioning | Machine Creation Services (MCS) |
| Write-back cache | 40 GB disk, 2 GB RAM |
| vCPU per VM | 4 |
| RAM per VM | 8 GB |
| Boot disk | Discarded on session end (non-persistent) |
| Storage policy | prod-gold (vSAN RAID-5) |
| Machine count | Min: 20 powered on, Max: 400 per delivery group |
| Parameter | Value |
|---|---|
| OS | Windows Server 2022 |
| vCPU per VM | 8 |
| RAM per VM | 32 GB |
| Max sessions per host | 50 |
| Patching | Monthly (Citrix Smart Scale drains before patching) |
| Storage policy | prod-gold (vSAN RAID-5) |
User profiles are managed via Citrix Profile Management with profiles stored on a dedicated file share:
| Component | Detail |
|---|---|
| Profile store | \\fileserver.corp.company.internal\profiles$\{username} |
| Profile type | Citrix Profile Management (CPM) — streaming enabled |
| Profile size limit | 3 GB (alert at 2.5 GB) |
| Folder redirection | Desktop, Documents, Downloads → OneDrive for Business |
| Exclusions | AppData\Local\Temp, browser cache, Windows Update cache |
Profile reset policy: Users can self-reset their profile via the Citrix Self-Service portal. IT can reset via Citrix Studio. Profiles are reset automatically if they exceed the size limit after one warning.
Citrix policies are applied in priority order. Key restrictions on the Contractors delivery group:
| Policy | Contractors | Standard Users |
|---|---|---|
| Client clipboard | Read only | Bidirectional |
| Client drive mapping | Disabled | Disabled (OneDrive used instead) |
| USB device redirection | Disabled | Disabled |
| Printer mapping | Client printer only | Corp printers + client |
| Session watermark | Enabled (username + timestamp) | Disabled |
| Screen capture | Blocked (Citrix App Protection) | Allowed |
| Local app access | Disabled | Disabled |
| Session recording | Enabled (selective) | Disabled |
Citrix Smart Scale manages session host power states to optimise cost:
| Time | Action |
|---|---|
| 06:00 | Scale up — bring minimum boot pool online |
| 08:00–18:00 | Business hours — auto-scale based on load |
| 18:00 | Begin scale-down — drain idle sessions |
| 22:00 | Minimum overnight pool: 5 machines |
| Weekend | Minimum pool: 3 machines |
All scaled-down machines in MCS non-persistent mode have their write-back cache discarded, ensuring a clean state on next boot.
Where physical thin clients are deployed (call centres, reception, warehouse), the approved hardware is:
| Vendor | Model | OS | Use Case |
|---|---|---|---|
| HP | t640 Thin Client | ThinPro | Standard task worker |
| HP | mt45 Mobile Thin Client | ThinPro | Mobile / shared laptop |
| IGEL | UD3 | IGEL OS | High-security / PCI locations |
Thin clients are managed via HP Device Manager or IGEL UMS (Universal Management Suite) respectively. Citrix Workspace App is the only delivery mechanism.
https://citrix.cloud.com (SSO via Entra ID)https://citrix.internal (on-prem management)