SmartAccess for HDX apps

This feature allows you to control access to HDX apps based on device properties, user properties of a device, or applications installed on a device. You use this feature by setting automated actions to mark the device as out of compliance to deny that device access. HDX apps used with this feature are configured in Citrix Virtual Apps and Desktops by using a SmartAccess policy that denies access to out-of-compliance devices. Endpoint Management communicates the status of the device to StoreFront using a signed, encrypted tag. StoreFront then allows or denies access based on the access control policy of the app.

To use this feature, your deployment requires:

  • Citrix Virtual Apps and Desktops
  • Citrix Endpoint Management
  • Citrix workspace experience
  • Endpoint Management configured with a SAML certificate to be used for signing and encrypting tags. The same certificate without private key is uploaded on the StoreFront server.

To start using this feature:

  • Configure the Endpoint Management server certificate to the StoreFront store
  • Configure at least one Citrix Virtual Apps and Desktops delivery group with the required SmartAccess policy
  • Set the automated action in Endpoint Management

Export and configure the Endpoint Management server certificate and upload it to the StoreFront store

SmartAccess uses signed and encrypted tags to communicate between the Endpoint Management and StoreFront servers. To enable that communication, you add the Endpoint Management server certificate to the StoreFront store.

For more information about integrating StoreFront and Endpoint Management when Endpoint Management is enabled with domain and certificate-based authentication, see the Support Knowledge Center.

Export the SAML certificate from Endpoint Management

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears. Click Certificates.

  2. Locate the SAML certificate for the Endpoint Management server.

    Image of Smart Access configuration

  3. Ensure that Export private key is set to Off. Click Export to export the certificate to your download directory.

    Image of Smart Access configuration

  4. Locate the certificate in your download directory. The certificate is in PEM format.

    Image of Smart Access configuration

Convert the certificate from PEM to CER

  1. Open the Microsoft Management Console (MMC) and right-click Certificates > All Tasks > Import.

    Image of Smart Access configuration

  2. When the certificate import wizard appears, click Next.

    Image of Smart Access configuration

  3. Browse to the certificate in the download directory.

    Image of Smart Access configuration

  4. Select Place all certificates in the following store and select Personal as the certificate store. Click Next.

    Image of Smart Access configuration

  5. Review your selections and click Finish. Click OK to dismiss the confirmation window.

  6. In the MMC, right-click the certificate and then choose All Tasks > Export.

    Image of Smart Access configuration

  7. When the certificate export wizard appears, click Next.

    Image of Smart Access configuration

  8. Choose the format DER encoded binary X.509 (.CER). Click Next.

    Image of Smart Access configuration

  9. Browse to the certificate. Type a name for the certificate and then click Next.

    Image of Smart Access configuration

  10. Save the certificate.

    Image of Smart Access configuration

  11. Browse to the certificate and click Next.

    Image of Smart Access configuration

  12. Review your selections and click Finish. Click OK to dismiss the confirmation window.

    Image of Smart Access configuration

  13. Locate the certificate in your download directory. Note that the certificate is in CER format.

    Image of Smart Access configuration

Copy the certificate to the StoreFront Server

  1. On the StoreFront server, create a folder called SmartCert.

  2. Copy the certificate to the SmartCert folder.

    Image of Smart Access configuration

Configure the certificate on the StoreFront store

On the StoreFront server, run this PowerShell command to configure the converted Endpoint Management server certificate on the store:

    Grant-STFStorePnaSmartAccess –StoreService $store –CertificatePath  “C:\xms\xms.cer” –ServerName “XMS server”

Image of Smart Access configuration

If there are any existing certificates on the StoreFront store, run this PowerShell command to revoke them:

    Revoke-STFStorePnaSmartAccess –StoreService $store –All

Image of Smart Access configuration

Alternatively, you can run any of these PowerShell commands on the StoreFront server to revoke existing certificates on the StoreFront store:

  • Revoke by name:
    $store = Get-STFStoreService –VirtualPath /Citrix/Store

    Revoke-STFStorePnaSmartAccess –StoreService $store –ServerName “My XM Server"
  • Revoke by thumbprint:
    $store = Get-STFStoreService –VirtualPath /Citrix/Store

    Revoke-STFStorePnaSmartAccess –StoreService $store –CertificateThumbprint “1094821dec7834d5d42 bb456329efe4fca86c60b”
  • Revoke by server object:
    $store = Get-STFStoreService –VirtualPath /Citrix/Store

    $access = Get-STFStorePnaSmartAccess –StoreService $store

    Revoke-STFStorePnaSmartAccess –StoreService $store –SmartAccess $access.AccessConditionsTrusts[0]

Configure the SmartAccess policy for Citrix Virtual Apps and Desktops

To add the required SmartAccess policy to the delivery group delivering the HDX app:

  1. Open Citrix Studio from the Citrix Cloud console.

  2. Select Delivery Groups in the Studio navigation pane.

  3. Select a group delivering the app or apps you want to control access to. Then select Edit Delivery Group in the Actions pane.

  4. On the Access Policy page, select Connections through Citrix Gateway and Connection meeting any of the following.

  5. Click Add.

  6. Add an access policy where Farm is XM and Filter is XMCompliantDevice.

    Image of Smart Access configuration

  7. Click Apply to apply any changes you made and keep the window open, or click OK to apply changes and close the window.

Set automated actions in Endpoint Management

The SmartAccess policy that you set in the delivery group for an HDX app denies access to a device when the device in out of compliance. Use automated actions to mark the device as out of compliance.

Image of Smart Access configuration

  1. From the Endpoint Management console, click Configure > Actions. The Actions page appears.

  2. Click Add to add an action. The Action Information page appears.

  3. On the Action Information page, type a name and description for the action.

  4. Click Next. The Action details page appears. In the following example, a trigger is created that immediately marks devices as out of compliance if they have the user property name eng5 or eng6.

    Image of Smart Access configuration

  5. In the Trigger list, choose Device property, User property, or Installed app name. SmartAccess doesn’t support event triggers.

  6. In the Action list:

    • Choose Mark the device as out of compliance.
    • Choose Is.
    • Choose True.
    • To set the action to mark the device as out of compliance immediately when the trigger condition is met, set the time frame to 0.
  7. Choose the Endpoint Management delivery group or groups to apply this action to.

  8. Review the summary of the action.

  9. Click Next and then click Save.

When device is marked out of compliance, the HDX apps no longer appear in the Secure Hub store. The user is no longer subscribed to the apps. No notification is sent to the device and nothing in the Secure Hub store indicates that the HDX apps were previously available.

If you want users to be notified when a device is marked out of compliance, create a notification and then create an automated action to send that notification.

This example creates and sends this notification when a device is marked out of compliance: “Device serial number or telephone number no longer complies with the device policy and HDX applications will be blocked.”

Image of Smart Access configuration

Create the notification users see when a device is marked as out of compliance

  1. In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  2. Click Notification Templates. The Notification Templates page appears.

  3. Click Add to add on the Notification Templates page.

  4. When prompted to set up the SMS server first, click No, set up later.

    Image of Smart Access configuration

  5. Configure these settings:

    • Name: HDX Application Block
    • Description: Agent notification when device is out of compliance
    • Type: Ad-Hoc Notification
    • Secure Hub: Activated
    • Message: Device ${firstnotnull(device.TEL_NUMBER,device.serialNumber)} no longer complies with the device policy and HDX applications will be blocked.

    Image of Smart Access configuration

  6. Click Save.

Create the action that sends the notification when a device is marked out of compliance

  1. From the Endpoint Management console, click Configure > Actions. The Actions page appears.

  2. Click Add to add an action. The Action Information page appears.

  3. On the Action Information page, enter a name and description for the action:

    • Name: HDX blocked notification
    • Description: HDX blocked notification because device is out of compliance
  4. Click Next. The Action details page appears.

  5. In the Trigger list:

    • Choose Device property.
    • Choose Out of compliance.
    • Choose Is.
    • Choose True.

    Image of Smart Access configuration

  6. In the Action list, specify the actions that occur when the trigger is met:

    • Choose Send notification
    • Choose HDX Application Block, the notification you created.
    • Choose 0. Setting this value to 0 causes the notification to be sent as soon as the trigger condition is met.
  7. Select the Endpoint Management delivery group or groups to apply this action to. In this example, choose AllUsers.

  8. Review the summary of the action.

  9. Click Next and then click Save.

For more information on setting automated actions, see Automated actions.

How users regain access to HDX apps

Users can gain access to HDX apps again after the device is brought back into compliance:

  1. On the device, go to the Secure Hub store to refresh the apps in the store.

  2. Go to the app and tap Add to the app.

After the app is added, it appears in My Apps with a blue dot next to it, because it is a newly installed app.

Image of Smart Access configuration