I found out that the solution to the above question is actually included in the VDI 1.1.0 iApp deployment guide. On page 31/55 the section with "Users with certain mobile clients (iOS/Android) are having authentication issues after deploying the iApp and selecting to use BIG-IP APM with Web Interface or StoreFront servers" contains the fix. In short, remove the Storefront URI Redirect from the Access Policy, then add an iRule as follows to the virtual server:
when ACCESS_ACL_ALLOWED {
set type [ACCESS::session data get session.client.type]
if { !($type starts_with "citrix") } {
if { [HTTP::uri] == "/" } {
log local0. "Redirecting to Web..."
ACCESS::respond 302 Location "https://[HTTP::host]/Citrix/web/"
}
}
}
This is confirmed to work in Wyse thin clients as well as Android/iOS Receiver clients as mentioned in the guide. The wnos.ini file on the Wyse clients needs to contain a line similar to this as well:
PnliteServer=https://apmserver.domainname.com CAGAuthMethod=LDAP