Access restriction options

When you select the action Allow access with restrictions, you can select the security restrictions as per the requirement. These security restrictions are predefined in the system. Admins cannot modify or add other combinations.

Access restrictions

Clipboard

Enable/disable cut/copy/paste operations on a SaaS or internal web app with this access policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Copy

Enable/disable copying of data from a SaaS or internal web app with this access policy when accessed via Citrix Enterprise browser. Default value: Enabled.

Note:

  • If both Clipboard and Copy restrictions are enabled in a policy, the Clipboard restriction takes precedence over the Copy restriction.
  • End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.
  • For granular control of copy operations within the apps, admins can use the Security groups restriction. For details, see Clipboard restriction for security groups.

Download restriction by file type

Enable/disable the user’s ability to download specific MIME (file) type from within the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser.

Note:

  • The Download restriction by file type restriction is available in addition to the Download restriction.
  • If both Downloads and Download restriction by file type restrictions are enabled in a policy, the Downloads restriction takes precedence over the Download restriction by file type restriction.
  • End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.

To enable downloading of MIME types, perform the following steps:

  1. Create or edit an access policy. For details on creating an access policy, see Configure access policies.
  2. In Actions, select Allow with restrictions.
  3. Click Download restriction by file type and then click Edit.
  4. In the Download restriction by file type settings page, select one of the following:

    • Allow all downloads with exceptions – Select the types that must be blocked and allow all other types.
    • Block all downloads with exceptions – Select only the types that can be uploaded and block all other types.
  5. If the file type does not exist in the list, then do the following:

    1. Click Add custom MIME types.
    2. In Add MIME types, enter the MIME type in the format category/subcategory<extension>. For example, image/png.
    3. Click Done.

    The MIME type now appears in the list of exceptions.

When an end user tries to download a restricted file type, Citrix Enterprise Browser displays the following warning message:

Download

Downloads

Enable/disable the user’s ability to download from within the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Note:

If both Downloads and Download restriction by file type restrictions are enabled in a policy, the Downloads restriction takes precedence over the Download restriction by file type.

Insecure content

Enable/disable end users from accessing insecure content within the SaaS or internal web app configured with this policy when accessed via Citrix Enterprise Browser. Insecure content is any file linked to from a web page using an HTTP link rather than an HTTPS link. Default value: Enabled.

The following figure displays a sample notification when you access insecure content.

Download

Keylogging protection

Enable/disable keyloggers from capturing keystrokes from the SaaS or internal web app with this access policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Microphone

Prompt/do not prompt users every time to access the microphone within the SaaS or internal web app configured with this policy when accessed via Citrix Enterprise Browser. Default value: Prompt every time.

End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which the Microphone restriction is enabled.

To allow microphone everytime without being prompted, perform the following steps:

  1. Create or edit an access policy. For details, see Configure access policies.
  2. In Actions, select Allow with restrictions.
  3. Click Microphone and then click Edit.
  4. In Microphone settings page, click Always allow access.
  5. Click Save, and then click Done.

Note:

  • If the Microphone restriction is enabled in Secure Private Access policy, then Citrix Enterprise Browser displays the settings Allow.
  • If the option Prompt every time in Secure Private Access policy, then the setting applied on Citrix Enterprise Browser varies depending on whether or not Global App Configuration service (GACS) is used to manage Citrix Enterprise Browser.
    • If GACS is used, then the GACS setting is applied on Citrix Enterprise Browser.
    • If GACS is not used, then Citrix Enterprise Browser displays the setting Ask.
  • Currently, Secure Private Access does not support blocking of microphone. If you need to block microphone, you must do it through GACS.

For more information on GACS, see Manage Citrix Enterprise Browser through Global App Configuration service.

Notifications

Allow/prompt users every time to view the notifications within the SaaS or internal web app configured with this policy when accessed via Citrix Enterprise Browser. Default value: Prompt every time.

End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled.

To block display of notifications without prompting, perform the following steps.

  1. Create or edit an access policy. For details, see Configure access policies.
  2. In Actions, select Allow with restrictions.
  3. Click Notifications and then click Edit.
  4. In Notification settings page, click Always block notifications.
  5. Click Save, and then click Done.

Paste

Enable/disable pasting of copied data into the SaaS or internal web app with this access policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Note:

  • If both Clipboard and Paste restrictions are enabled in a policy, the Clipboard restriction takes precedence over the Paste restriction.
  • End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.
  • For granular control of paste operations within the apps, admins can use the Security groups restriction. For details, see Clipboard restriction for security groups.

Personal data masking

Enable/disable redacting or masking personally identifiable information (PII) on the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser.

Note:

End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.

To redact or mask personally identifiable information, perform the following steps:

  1. Create or edit an access policy. For details, see Configure access policies.
  2. In Actions, select Allow with restrictions.
  3. Click Personal data masking and then click Edit.
  4. Select the information type that you want to obscure or mask and then click Add.

    If the information type does not appear in the pre-defined list, then you can add a custom information type. For details, see Add custom information type.

  5. Select the masking type.

    • Full masking – Completely cover the sensitive information to make it unreadable.
    • Partial masking – Partially cover the sensitive information. Only the relevant sections are covered leaving the rest intact.

      When you select Partial marking, you must select characters starting from the beginning or the end of the document. You must enter the numbers in the First masked characters and Last masked characters fields.

      The Preview field displays the masking format. This preview is not available for custom policies.

  6. Click Save and then click Done.

Add custom information type

You can add a custom information type by adding the information type’s regular expression.

  1. In Select Information type, select Custom, and then click Add.
  2. In Field name, enter the name for the information type that you want to mask.
  3. In Number of characters, enter the number of characters of the information type.
  4. In Regular Expression (RE2 library), enter the expression for the custom information type. For example, ^4[0-9]{12}(?:[0-9]{3})?$.
  5. Select masking type, if you want to mask the complete information or the first or last few characters.
  6. Click Save, and then click Done.

Masking1

The following figure displays a sample app in which the PII is masked. The figure also displays the notification related to masking of the PII.

Masking2

Popups

Enable/disable the display of popups within the SaaS or internal web app configured with this policy when accessed via Citrix Enterprise Browser. By default popups are disabled within web pages. Default value: Always block pop-ups.

End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled.

To enable display of popups, perform the following steps:

  1. Create or edit an access policy. For details, see Configure access policies.
  2. In Actions, select Allow with restrictions.
  3. Click Popups and then click Edit.
  4. In Popups settings page, click Always allow pop-ups.
  5. Click Save, and then click Done.

Printing

Enable/disable printing data from the configured SaaS or Internal web apps with this policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

The following message appears when an end user tries to print content from the application for which printing restriction is enabled.

Printing2

Note:

If both Printing and Printer management restrictions are enabled in a policy, the Printing restriction takes precedence over the Printer management restriction.

Printer management

Enable/disable printing data by using the admin-configured printers from the configured SaaS or internal web apps with this policy when accessed via Citrix Enterprise Browser.

Note:

  • The Printer management restriction is available in addition to the Printing restriction where printing is either enabled or disabled. If both Printing and Printer management restrictions are enabled in an access policy, the Printing restriction takes precedence over the Printer management restriction.
  • End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.

To enable/disable printing restrictions, perform the following steps:

  1. Create or edit an access policy. For details on creating an access policy, see Configure access policies.
  2. In Actions, select Allow with restrictions.
  3. Click Printer management and then click Edit.

Printing1

  1. Select the exceptions as per your requirement.

    • Network printers - A network printer is a printer that can be connected to a network and used by multiple users.
      • Disabled: Printing from any printers in the network is disabled.
      • Enabled: Printing from all network printers is enabled. If printer hostnames are specified, then all other network printers apart from the ones specified are blocked.

      Note: Network printers are identified by their hostnames.

    • Local printers - A local printer is a device directly connected to an individual computer through a wired connection. This connection is typically facilitated through USB, parallel ports, or other direct interfaces.
      • Disabled: Printing from all local printers are disabled.
      • Enabled: Printing from all local printers are enabled.
    • Print using Save as PDF
      • Disabled: Saving the content from the application in a PDF format is disabled.
      • Enabled: Saving the content from the application in a PDF format is enabled.
  2. Click Save.

If a network printer is disabled, then the specific printer name appears grayed out when you try to select the printer in the Destination field.

Also, if Print using Save as PDF is disabled, then when you click the See more link in the Destination field, the Save as PDF option appears grayed out.

Printing3

Screen capture

Enable/disable the ability to capture the screens from the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured. Default value: Enabled.

Upload restriction by file type

Enable/disable the user’s ability to download specific MIME (file) type from the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser.

Note:

  • The Upload restriction by file type restriction is available in addition to the Upload restriction.
  • If both Upload and Upload restriction by file type restrictions are enabled in a policy, the Uploads restriction takes precedence over the Upload restriction by file type restriction.
  • End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.

To enable/disable uploading of MIME types, perform the following steps:

  1. Create or edit an access policy. For details, see Create access policies.
  2. In Actions, select Allow with restrictions.
  3. Click Upload restriction by file type and then click Edit.
  4. In the Upload restriction by file type settings page, select one of the following:

    Allow all uploads with exceptions – Upload all files except the selected types. Block all uploads with exceptions – Blocks all file types from uploading except the selected types.

  5. If the file type does not exist in the list, then do the following:

    1. Click Add custom MIME types.
    2. In Add MIME types, enter the MIME type in the format category/subcategory<extension>. For example, image/png.
    3. Click Done.

    The MIME type now appears in the list of exceptions.

When an end user tries to upload a restricted file type, Citrix Enterprise Browser displays a warning message.

Upload

Uploads

Enable/disable the user’s ability to upload within the SaaS or internal web app configured with this policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Note:

If both Uploads and Upload restriction by file type restrictions are enabled in a policy, the Uploads restriction takes precedence over the Upload restriction by file type restriction.

Watermark

Enable/disable the watermark on the user’s screen displaying the user name and IP address of the user’s machine. Default value: Disabled.

Webcam

Prompt/do not prompt users every time to access the webcam within the SaaS or internal web app configured with this policy when accessed via Citrix Enterprise Browser. Default value: Prompt every time.

End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which the Webcam restriction is enabled.

To allow webcam everytime without being prompted, perform the following steps:

  1. Create or edit an access policy. For details, see Configure access policies.
  2. In Actions, select Allow with restrictions.
  3. Click Webcam and then click Edit.
  4. In Webcam settings page, click Always allow access.
  5. Click Save, and then click Done.

Note:

  • If the Webcam restriction is enabled in Secure Private Access policy, then Citrix Enterprise Browser displays the settings Allow.
  • If the option Prompt every time in Secure Private Access policy, then the setting applied on Citrix Enterprise Browser varies depending on whether or not Global App Configuration service (GACS) is used to manage Citrix Enterprise Browser.
    • If GACS is used, then the GACS setting is applied on Citrix Enterprise Browser.
    • If GACS is not used, then Citrix Enterprise Browser displays the setting Ask.
  • Currently, Secure Private Access does not support blocking of webcam. If you need to block webcam, you must do it through GACS.

For more information on GACS, see Manage Citrix Enterprise Browser through Global App Configuration service.

Clipboard restriction for security groups

You can enable clipboard access for a designated group of apps by using the Security groups restriction (Applications > Security groups). Security groups are assigned a set of apps within which the copy and paste operations can be performed. To enable clipboard access within the apps in a security group, you must just have an access policy configured with the action allow or allow with restrictions without selecting any access setting.

  • When the Security groups restriction is enabled, you cannot copy / paste data between applications in different security groups. For example if the app “ProdDocs” belongs to security group “SG1” and app “Edocs” belong to security group “SG2”, you cannot copy / paste content from “Edocs” to “ProdDocs” even if Copy / Paste restriction is enabled for both groups.
  • For apps not part of a security group, you can have an access policy created with action allow with restrictions and selecting the restrictions (Copy, Paste, or Clipboard). In this case, the app is not part of a security group and hence the Copy / Paste restriction can be applied on that app.

Note:

You can also restrict clipboard access for apps accessed via Citrix Enterprise Browser through Global App Configuration service (GACS). If you are using GACS to manage Citrix Enterprise Browser, then use the Enable Sandboxed Clipboard option to manage the clipboard access. When you restrict clipboard access through GACS, it applies to all apps accessed via Citrix Enterprise Browser. For more information on GACS, see Manage Citrix Enterprise Browser through Global App Configuration service.

To create a security group, perform the following steps:

  1. In the Secure Private Access console, click Applications and then click Security groups.
  2. Click Add a new security group.

Security group

  1. Enter a name for the security group.
  2. In Add web or SaaS applications, choose the applications that you want to group together to enable the copy and paste control. For example, Wikipedia, Pinterest and Dribble.
  3. Click Save.

For details on Advanced clipboard settings, see Enable copy / paste controls for native applications and unpublished apps.

When end users launch these applications (Wikipedia, Pinterest and Dribble) from Citrix Workspace, they must be able to share data (copy / paste) from one application to the other applications within the security group. The copy / paste occurs irrespective of other security restrictions that are already enabled for the applications.

However, end users cannot copy and paste content from their local applications on their machines or unpublished applications to these designated applications and vice versa. The following notification appears when content is copied from the designated applications into another application:

Paste error

Note:

You can enable copy / paste content from local applications on user machines or unpublished applications controls by using the options in the Advanced clipboard settings section. For details, see Enable copy / paste controls for native applications and unpublished apps.

Enable granular level copy / paste

You can enable granular level clipboard access within the applications in a designated group. You can do so by creating access policies for the applications and enabling the Copy / Paste restriction as per your requirement.

Note:

Ensure that the specific access policy that you have created for granular level clipboard access has a higher priority than the policy that you have created for the security groups.

Example:

Consider that you have created a security group with three applications namely, Wikipedia, Pinterest and Dribble.

Now, you want to restrict pasting of content from Wikipedia or Dribble into Pinterest. To do so, perform the following steps:

  1. Create or edit an access policy assigned for the application Pinterest. For details on creating an access policy, see Configure access policies.
  2. In Actions, select Allow with restrictions.
  3. Select Paste.

Although Pinterest is part of a security group which also contains Wikipedia and Dribble, users cannot copy content from Wikipedia or Dribble to Pinterest because of the access policy associated with Pinterest in which the Paste restriction is enabled.

Paste error2

Enable copy / paste controls for native applications and unpublished apps

  1. Create a security group. For details, see Clipboard security groups for Copy and Paste restrictions.
  2. Expand Advanced clipboard settings.

    Advance options

  3. Select the following options as per your requirement:

    • Allow copying of data from the security group to unpublished domains – Enable copying of data from applications in the security groups to the apps that are not published in Secure Private Access.
    • Allow copying of data from the security group to native apps - Enable copying of data from the applications in the security groups to the local applications on your machines.
    • Allow copying of data from the unpublished domains to the security group – Enable copying of data from the apps not published through Secure Private Access to the applications in the security groups.
    • Allow copying of data from native apps operating system the security group - Enable copying of data from local applications on the machines to the applications.

Known issues

  • The routing table in (Settings > Application Domain) retains the domains of a deleted application. Hence, these applications are also considered as published applications in Secure Private Access. If these domains are accessed directly from Citrix Enterprise Browser, copy / paste is disabled from these applications irrespective of the options that you have selected in Advanced clipboard settings.

    For example, assume the following scenario:

    • You have deleted an application named Jira2 (https://test.citrite.net) that was part of a security group.
    • You have enabled the option Allow copying of data from the security group to unpublished domains.

    In this scenario, if the user tries to copy data from this application into another application in the same security group, the pasting control is disabled. A notification regarding the same is displayed to the user.

  • For a SaaS app, the app access can be denied if the application is configured with an access policy with action Deny access. The end users can still access the app because the app traffic is not tunneled through Secure Private Access. Also, if the application is part of the security group, the security group settings are not honored and hence you cannot copy / paste content from the application.