You can configure EPA Policies on Netscaler to check the configurations on the Client Device (ie Domain Membership)
Check Domain Membership Example :
- Clear ICA Only checkbox on Netscaler Gateway Virtual Server > Basic Settings (Enables Smart Access)
- Be sure to enable Callback on Storefront > Netscaler Settings.
- Enable TrustXML on DDC
- Create two PreAuthentication Policies, one for Domain_Joined, one for Domain_Not_Joined and bind these policies to Netscaler Gateway Virtual Server.
Domain Joined : CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_workspacelab.com[COMMENT: Domain check]') EXISTS
Domain NOT Joined : CLIENT.SYSTEM('DOMAIN_SUFFIX_anyof_workspacelab.com[COMMENT: Domain check]') NOTEXISTS - On DDC, edit Delivery Group Properties > Access Policy > Enable all checkboxes > Farm Name = Netscaler Gateway Virtual Server Name, Filter = Domain_Joined (this will filter the resources on the delivery group only to Domain Joined Computers)
You can use the Smart Access policies on the Citrix Policy Filters either.
https://support.citrix.com/article/CTX227055/smart-access-guide-for-netscaler-gateway-storefront-and-xendesktop
https://support.citrix.com/article/CTX220961/how-to-configure-netscaler-gateway-preauthentication-epa-scan-for-domain-check