Product Documentation

Receiver Desktop Lock

Aug 09, 2016

You can use the Receiver Desktop Lock when users do not need to interact with the local desktop. Users can still use the Desktop Viewer (if enabled), however it has only the required set of options on the toolbar: Ctrl+Alt+Del, Preferences, Devices, and Disconnect.

Citrix Receiver Desktop Lock works on domain-joined machines, which are SSON-enabled (Single Sign-On) and store configured; it can also be used on non-domain joined machines without SSON enabled. It does not support PNA sites. Previous versions of Desktop Lock are not supported when you upgrade to Receiver for Windows 4.2.x.

You must install Citrix Receiver for Windows with the /includeSSON flag. You must configure the store and single sign-on, either using the adm/admx file or cmdline option. For more information, refer to Install and configure Citrix Receiver using the command line.

Then, install the Receiver Desktop Lock as an administrator using the CitrixReceiverDesktopLock.MSI available at citrix.com/downloads.

System requirements for Citrix Receiver Desktop Lock

  • Supported on Windows 7 (including Embedded Edition), Windows 7 Thin PC, Windows 8, and Windows 8.1.
  • User devices must be connected to a local area network (LAN) or wide area network (WAN).

Local App Access

Important

Enabling Local App Access may permit local desktop access, unless a full lock down has been applied with the Group Policy Object template, or a similar policy. See Configure Local App Access and URL redirection in XenApp and XenDesktop for more information.

Working with Receiver Desktop Lock

  • You can use Receiver Desktop Lock with the following Receiver for Windows features:
    • 3Dpro, Flash, USB, HDX Insight, Microsoft Lync 2013 plug-in, and local app access
    • Domain, two-factor, or smart card authentication only
  • Disconnecting the Receiver Desktop Lock session logs out the end device.
  • Flash redirection is disabled on Windows 8 and later versions. Flash redirection is enabled on Windows 7.
  • The Desktop Viewer is optimized for Receiver Desktop Lock with no Home, Restore, Maximize, and Display properties.
  • Ctrl+Alt+Del is available on the Viewer toolbar.
  • Most windows shortcut keys are passed to the remote session, with the exception of Windows+L. For details, see Passing Windows shortcut keys to the remote session.
  • Ctrl+F1 triggers Ctrl+Alt+Del when you disable the connection or Desktop Viewer for desktop connections.

To install Receiver Desktop Lock

This procedure installs Receiver for Windows so that virtual desktops appear using Receiver Desktop Lock. For deployments that use smart cards, see To configure smart cards for use with devices running Receiver Desktop Lock.
  1. Log on using a local administrator account.
  2. At a command prompt, run the following command (located in the Citrix Receiver and Plug-ins > Windows > Receiver folder on the installation media).
    For example:
    CitrixReceiver.exe 
         /includeSSON 
    STORE0="DesktopStore;https://my.storefront.server/Citrix/MyStore/discovery;on;Desktop Store"
    

    For command details, see the Receiver for Windows install documentation at Configure and install Receiver for Windows using command-line parameters.

  3. In the same folder on the installation media, double-click CitrixReceiverDesktopLock.MSI . The Desktop Lock wizard opens. Follow the prompts.
  4. When the installation completes, restart the user device. If you have permission to access a desktop and you log on as a domain user, the device appears using Receiver Desktop Lock.

To allow administration of the user device after installation, the account used to install CitrixReceiverDesktopLock.msi is excluded from the replacement shell. If that account is later deleted, you will not be able to log on and administer the device.

To run a silent install of Receiver Desktop Lock, use the following command line: msiexec /i CitrixReceiverDesktopLock.msi /qn

To configure Receiver Desktop Lock

Grant access to only one virtual desktop running Receiver Desktop Lock per user.

Using Active Directory policies, prevent users from hibernating virtual desktops.

Use the same administrator account to configure Receiver Desktop Lock as you did to install it.
  • Ensure that the Receiver.admx (or Receiver.adml) and Receiver_usb.admx (.adml) files are loaded into Group Policy (where the policies appear in Computer Configuration or User Configuration > Administrative Templates > Classic Administrative Templates (ADMX) > Citrix Components). The .admx files are located in %Program Files%\Citrix\ICA Client\Configuration\.
  • USB preferences - When a user plugs in a USB device, that device is automatically remoted to the virtual desktop; no user interaction is required. The virtual desktop is responsible for controlling the USB device and displaying it in the user interface.
    • Enable the USB policy rule.
    • In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable and configure the Existing USB Devices and New USB Devices policies.
  • Drive mapping - In Citrix Receiver > Remoting client devices, enable and configure the Client drive mapping policy.
  • Microphone - In Citrix Receiver > Remoting client devices, enable and configure the Client microphone policy.

To configure smart cards for use with devices running Receiver Desktop Lock

  1. Configure StoreFront.
    1. Configure the XML Service to use DNS Address Resolution for Kerberos support.
    2. Configure StoreFront sites for HTTPS access, create a server certificate signed by your domain certificate authority, and add HTTPS binding to the default website.
    3. Ensure pass-through with smart card is enabled (enabled by default).
    4. Enable Kerberos.
    5. Enable Kerberos and Pass-through with smart card.
    6. Enable Anonymous access on the IIS Default Web Site and use Integrated Windows Authentication.
    7. Ensure the IIS Default Web Site does not require SSL and ignores client certificates.
  2. Use the Group Policy Management Console to configure Local Computer Policies on the user device.
    1. Import the Receiver.admx template from %Program Files%\Citrix\ICA Client\Configuration\.
    2. Expand Administrative Templates > Classic Administrative Templates (ADMX) > Citrix Components > Citrix Receiver > User authentication.
    3. Enable Smart card authentication.
    4. Enable Local user name and password.
  3. Configure the user device before installing Receiver Desktop Lock.
    1. Add the URL for the Delivery Controller to the Windows Internet Explorer Trusted Sites list.
    2. Add the URL for the first Delivery Group to the Internet Explorer Trusted Sites list in the form desktop://delivery-group-name.
    3. Enable Internet Explorer to use automatic logon for Trusted Sites.

When Receiver Desktop Lock is installed on the user device, a consistent smart card removal policy is enforced. For example, if the Windows smart card removal policy is set to Force logoff for the desktop, the user must log off from the user device as well, regardless of the Windows smart card removal policy set on it. This ensures that the user device is not left in an inconsistent state. This applies only to user devices with the Receiver Desktop Lock.

To remove Receiver Desktop Lock

Be sure to remove both of the components listed below.
  1. Log on with the same local administrator account that was used to install and configure Receiver Desktop Lock.
  2. From the Windows feature for removing or changing programs:
    • Remove Citrix Receiver Desktop Lock.
    • Remove Citrix Receiver.

Passing Windows shortcut keys to the remote session

Most windows shortcut keys are passed to the remote session. This section highlights some of the common ones.

Windows
  • Win+D - Minimize all windows on the desktop.
  • Alt+Tab - Change active window.
  • Ctrl+Alt+Delete - via Ctrl+F1 and the Desktop Viewer toolbar.
  • Alt+Shift+Tab
  • Windows+Tab
  • Windows+Shift+Tab
  • Windows+All Character keys
Windows 8
  • Win+C - Open charms.
  • Win+Q - Search charm.
  • Win+H - Share charm.
  • Win+K - Devices charm.
  • Win+I - Settings charm.
  • Win+Q - Search apps.
  • Win+W - Search settings.
  • Win+F - Search files.

Windows 8 apps

  • Win+Z - Get to app options.
  • Win+. - Snap app to the left.
  • Win+Shift+. - Snap app to the right.
  • Ctrl+Tab - Cycle through app history.
  • Alt+F4 - Close an app.

Desktop

  • Win+D - Open desktop.
  • Win+, - Peek at desktop.
  • Win+B - Back to desktop.

Other

  • Win+U - Open Ease of Access Center.
  • Ctrl+Esc - Start screen.
  • Win+Enter - Open Windows Narrator.
  • Win+X - Open system utility settings menu.
  • Win+PrintScrn - Take a screen shot and save to pictures.
  • Win+Tab - Open switch list.
  • Win+T - Preview open windows in taskbar.