Configure access policies for the applications

Access policies allow you to enable or disable access to the apps based on the user or user groups. In addition, you can enable restricted access to the apps by adding the security restrictions.

  1. In the admin console, click Access Policies.
  2. Click Create Policy.

    Create policy

  3. In Applications, select the apps for which you want to enforce the access policies.
  4. In Users/User groups – Select the conditions and users or user groups based on which app access must be allowed or denied.

    • Matches any of: Only the users or groups that match any of the names listed in the field are allowed access.
    • Does not match any: All users or groups except those listed in the field are allowed access.
  5. Click Add condition to add another condition based on contextual tags. These tags are derived from the NetScaler Gateway.

  6. Select Conditional Tags and then select the conditions based on which app access must be allowed or denied.

  7. In Then do the following, select one of the following actions that must be enforced on the app based on the condition evaluation.

    • Allow access
    • Allow access with restriction
    • Deny access

    When you select Allow access with restrictions, you can select the following restrictions.


    • Restrict clipboard access: Disables cut/copy/paste operations between the app and the system clipboard.
    • Restrict printing: Disables the ability to print from within the Citrix Enterprise Browser.
    • Restrict downloads: Disables the user’s ability to download from within the app.
    • Restrict uploads: Disables the user’s ability to upload within the app.
    • Display watermark: Displays a watermark on the user’s screen displaying the user name and IP address of the user’s machine.
    • Restrict key logging: Protects against key loggers. When a user tries to log on to the app using the user name and password, all the keys are encrypted on the key loggers. Also, all activities that the user performs on the app are protected against key logging. For example, if app protection policies are enabled for Office 365 and the user edit an Office 365 word document, all key strokes are encrypted on key loggers.
    • Restrict screen capture: Disables the ability to capture the screens using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured.


    Key logging and screen capture restrictions are applicable only to Citrix Workspace desktop clients.

  8. In Policy name, enter a name for the policy.
  9. Select Enable policy on save. If you do not select this option, the policy is only created and not enforced on the applications. Alternatively, you can also enable the policy from the Access Policies page by using the toggle switch.

Access policy priority

After an access policy is created, a priority number is assigned to the access policy, by default. You can view the priority on the Access Policies home page.

A priority with a lower value has the highest preference and is evaluated first. If this policy does not match the conditions defined, the next policy with the lower priority number is evaluated and so on.

You can change the priority order by moving the policies up or down by using the up-down icon in the Priority column.

Next steps

Validate your configuration from the client machines (Windows and macOS).

Sample configuration validation

Configure access policies for the applications