Device Posture

Citrix Device Posture service is a cloud-based solution that helps admins to enforce certain requirements that the end devices must meet to gain access to Citrix DaaS (virtual apps and desktops) or Citrix Secure Private Access resources (SaaS, Web apps, TCP, and UDP apps). Establishing device trust by checking the device’s posture is critical to implement zero-trust-based access. Device Posture service enforces zero trust principles in your network by checking the end devices for compliance (managed/BYOD and security posture) before allowing an end-user to log in.

Prerequisites

• Licensing requirements: The entitlement for Citrix Device Posture service is part of Citrix DaaS Premium, Citrix DaaS Premium Plus, and Citrix Secure Private Access Advanced licenses. Customers with other licenses can purchase Device Posture Service entitlement as an add-on.

• Supported platforms:

  • Windows (10 and 11)
  • macOS 13 Ventura
  • macOS 12 Monterey

  Note:

  • A device running on a non-supported platform is marked as non-compliant by default. You can change the classification from Non-compliant to Denied login from the Settings tab on the Device Posture page.

  • A device that is running on a supported platform but does not match any pre-defined device posture policy is marked as non-compliant, by default. You can change the classification from Non-compliant to Denied login from the Settings tab on the Device Posture page.

• Citrix Device Posture client (EPA client): A lightweight application that must be installed on the endpoint device to run device posture scans. This application does not require local admin rights to download and install on an endpoint.

• Supported browsers: Chrome, Edge, and Firefox.

How it works

The admins can create device posture policies to check the posture of endpoint devices and determine whether an endpoint device is allowed or denied login. The devices which are allowed login are further classified as compliant or non-compliant. Users can log in from a browser or the Citrix Workspace app.

Following are the high-level conditions used to classify a device as compliant, non-compliant, and denied login.

• Compliant devices – A device that meets the pre-configured policy requirements and is allowed to log in into the company’s network with full or unrestricted access to Citrix Secure Private Access resources or Citrix DaaS resources.
• Non-Compliant devices - A device that meets the pre-configured policy requirements and is allowed to log in into the company’s network with partial or restricted access to Citrix Secure Private Access resources or Citrix DaaS resources.
• Denied login: - A device that fails to meet the policy requirements is denied login.

The classification of devices as compliant, non-compliant, and denied login is passed onto Citrix DaaS and Citrix Secure Private Access service that in turn uses the device classification to provide smart access capabilities.

Note:

• The device posture policies must be configured specifically for each platform. For example, for macOS, an admin can allow access for the devices that have a specific OS version. Similarly, for Windows, the admin can configure policies to include a specific authorization file, registry settings, and so on.
• Device posture scans are done only during pre-authentication/before logging in.
• For definitions of “compliant” and “non-compliant,” see Definitions.

Scans supported by device posture

The following scans are supported by the Citrix Device Posture service:

Windows	macOS
Citrix Workspace app version	Citrix Workspace app version
File – (exists, file name, and path)	File – (exists, file name, and path)
MAC Address	MAC Address
Operating System version	Operating System version
Process (exists)	Process (exists)
Microsoft Endpoint Manager	Microsoft Endpoint Manager
Domain Name	-
Non-Numeric Registry (32 Bit)	-
Non-Numeric Registry (64 Bit)	-
Numeric Registry (32 Bit)	-
Numeric Registry (64 Bit)	-
Windows Update Installation Type	-
Windows Update Installation Last Update check	-

Third-party integration with device posture

In addition to the native scans offered by the Device Posture service, the service can also be integrated with other third-party solutions. Device Posture is integrated with Microsoft Endpoint Manager (MEM) on Windows and macOS. For details on MEM integration configuration, see Microsoft Endpoint Manager integration with Device Posture - Preview.

Configure device posture

The device posture is a combination of policies and rules that a device must meet to gain access to the resources. Each policy is attached with one of the actions namely compliant, non-compliant, and denied login. In addition, each policy is associated with a priority and the policy evaluation stops if a policy evaluates to true and the associated action is taken.

1. Sign in to Citrix Cloud, and then select Identity and Access Management from the hamburger menu.

2. Click the Device Posture, tab and then click Manage.

   

   Note:

   • Secure Private Access service customers can directly click Device Posture on the left navigation in the admin user interface.
   • For the first-time users, the Device Posture landing page prompts you to create a device posture policy. Device posture policy must individually be configured for each platform. Once you create a device posture policy, it gets listed under the appropriate platforms.
   • A policy comes into effect only after device posture is enabled. To enable device posture, slide the Device posture is disabled toggle on the right hand top corner to ON.

   

3. Click Create device policy.

4. In Platform, select the platform for which you want to apply a policy. You can change the platform from Windows to macOS or conversely irrespective of the tab that you selected on the Device Posture home page.

5. In Select Rule, select the check that you want to perform as part of device posture and select the conditions that must be matched.

6. Click Add another rule to create multiple rules. An AND condition is applied on multiple rules.

   

7. In Policy result based on the conditions that you have configured, select the type under which the device scan must classify the user device.

   • Compliant
   • Non-compliant
   • Denied access
8. Enter a name for the policy.

9. In Priority, enter the order in which the policies must be evaluated.

   • You can enter a value between 1 through 100. It is recommended that you configure deny policies with higher priority, followed by non-compliant, and finally compliant.
   • Priority with the lower value has the highest preference.
   • Only the policies that are enabled are evaluated based on the priority.

10. Click Create.

    

Important:

You must turn the Enable when created toggle switch to ON for the device posture policies to take effect. Before you enable the policies, it is recommended that you ensure that the policies are correctly configured and you are performing these tasks in your test setup.

Edit a device posture policy

The configured device posture policies are listed under the specific platform in the Device Scans page. You can search for the policy you want to edit from this page. You can also enable, disable, or delete a policy from this page.

Configure contextual access (smart access) using device posture

After a device is allowed to log in post the device posture verification, the device can be compliant or non-compliant. This information is available as tags to Citrix DaaS service and Citrix Secure Private Access service and is used to provide contextual access based on device posture. Therefore, Citrix DaaS and Citrix Secure Private Access service must be configured to enforce access control using device posture tags.

Citrix DaaS Configuration with Device Posture

1. Sign into Citrix Cloud.
2. On the DaaS tile, click Manage.
3. Go to the Delivery Group section from the left-hand menu.
4. Select the delivery group for which you want to configure access control based on device posture and click Edit.
5. In the Edit Delivery Group page, click Access Policy.
6. Click Add on the Access Policy page, enter the value Workspace in Farm.

7. In Filter, enter one of the following values.

   • COMPLIANT - For compliant devices
   • NON-COMPLIANT - For non-compliant devices

   Note:

   The syntax for the device classification tags must be entered in the same manner as captured earlier, that is all in uppercase (COMPLIANT and NON-COMPLIANT). Else the device posture policies do not work as intended.

   In addition to the device classification tags, the Device Posture service also returns the operating system tag and the access policy tag associated with the device. The operating system tags and the access policy tags must be entered in uppercase only.

   • DEVICE_TYPE_WINDOWS
   • DEVICE_TYPE_MAC
   • Exact policy name (uppercase)

8. Click Save.

Note:

Any DaaS delivery group which is not tagged as compliant or non-compliant in the DaaS access policy is treated as the default delivery group and is accessible on all the endpoints regardless of device posture.

Citrix Secure Private Access configuration with Device Posture

1. Sign into Citrix Cloud.
2. On the Secure Private Access tile, click Manage.
3. Click Access Policies on the left navigation and then click Create policy.
4. Enter the policy name and description of the policy.
5. In Applications, select the app or set of apps on which this policy must be enforced.
6. Click Create Rule to create rules for the policy.
7. Enter the rule name and a brief description of the rule, and then click Next.
8. Select the users’ conditions. The Users condition is a mandatory condition to be met to grant access to the applications for the users.
9. Click + to add device posture condition.
10. Select Device posture check and the logical expression from the drop-down menu.

11. Enter one of the following values in custom tags:

    • Compliant - For compliant devices
    • Non-Compliant - For non-compliant devices
12. Click Next.

13. Select the actions that must be applied based on the condition evaluation, and then click Next.

    The Summary page displays the policy details.

14. You can verify the details and click Finish.

    For more details on creating access policies, see Configure an access policy with multiple rules.

Note:

Any Secure Private Access application which is not tagged as compliant or non-compliant in the access policy is treated as the default application and is accessible on all the endpoints regardless of device posture.

End-user flow

Once the device posture policies are set and device posture is enabled, the following are the end-user flows based on how the end user is logging into Citrix Workspace.

End-user flow via browser access

Note:

The macOS client and Chrome browser is used as an example for illustration purposes. The screens and the notifications vary depending on the client and the browser that you use for accessing the Citrix Workspace URL.

• When an end-user logs on to the Citrix Workspace URL https://<your-workspace-URL through a browser, the end user is prompted to run the Citrix EndPointAnalysis application.

  

• When the end user clicks Open Citrix End Point Analysis, the device posture client runs and scans the endpoint parameters based on device posture policy requirements.

• If the latest device posture client is not installed on the endpoint, the users are redirected to the page that displays the options, Check again and Download Client. The user must click Download Client.

• If the latest device posture client is already installed on the endpoint, the user must click Check again.

  

End-user flow via Citrix Workspace application

• When an end-user logs on to the Citrix Workspace URL https://your-workspace-url through the Citrix Workspace application, the device posture client installed on the endpoint runs and scans the endpoint parameters based on device posture policy requirements.
• If the latest device posture client is not installed on the endpoint, the users are redirected to the page that displays the options, Check again and Download Client. The user must click Download Client.
• If the latest device posture client is already installed on the endpoint, the user must click Check again.

End-user flow - Device posture results

Based on the device posture policy conditions, three possibilities can occur.

If an endpoint meets the policy conditions such that the device is categorized as;

• Compliant - The end user is allowed to log in with unrestricted access to Secure Private Access or Citrix DaaS resources.

• Non-compliant - The end user is allowed to log in with restricted access to Secure Private Access or Citrix DaaS resources.

  

If an endpoint meets the policy conditions such that the device is categorized as Denied access, the Access denied message appears.

Device posture logs

In the current release, device posture event logs can be viewed on the Secure Private Access dashboard. Perform the following steps to view the events logs for the Device Posture service.

1. Sign into Citrix Cloud.
2. On the Secure Private Access tile, click Manage,
3. Go to the Dashboard section from the left-hand menu.
4. Click the See more link in the Diagnostic Logs chart to view the device posture event logs.

• Admins can filter the logs based on the transaction ID in the Diagnostic logs chart. The transaction ID is also displayed to the end user whenever access is denied.

  

• If there is an error or a scan failure, the Device Posture service displays a transaction ID. This transaction ID is available in the Secure Private Access service dashboard. If the logs do not help resolve the issue, end users can share the transaction ID with Citrix Support for resolving the issue.

  

• The Windows client logs can be found at:

  • %localappdata%\Citrix\EPA\dpaCitrix.txt
  • %localappdata%\Citrix\EPA\epalib.txt

• The macOS client logs can be found at:

  • ~/Library/Application Support/Citrix/EPAPlugin/EpaCloud.log
  • ~/Library/Application Support/Citrix/EPAPlugin/epaplugin.log

Known limitations

• Custom workspace URLs are not supported with Device Posture service.
• The time taken for the device posture functionality to be enabled or disabled after the device posture toggle button is turned on or off can take a few minutes to an hour.
• Any changes in the device posture configuration do not take effect immediately. It might take around 10 minutes for the changes to take effect.
• If you have enabled the Service Continuity option in Citrix Workspace and if the Device Posture service is down, users might be unable to sign in to Workspace. This is because Citrix Workspace enumerates apps and desktops based on local cache on the user device.
• If you have configured long lived token and password on Citrix Workspace, the device posture scan does not work for this configuration. The devices are scanned only when the users log in to Citrix Workspace.
• Each platform can have a maximum of 10 policies and each policy can have a maximum of 10 rules.
• Role based access is not supported with the Device Posture service.

Quality of service

• Performance: Under ideal conditions, the Device Posture service adds an additional 2 seconds of delay during login. This delay might increase depending on additional configurations such as third-party integrations like Microsoft Endpoint Manager (MEM). Device posture integration with MEM is under Preview.
• Resiliency: Device Posture service is highly resilient with multiple POPs to ensure that there is no downtime.

Definitions

The terms compliant and non-compliant in reference to the Device Posture service is defined as follows.

• Compliant devices – A device that meets the pre-configured policy requirements and is allowed to log in into the company’s network with full or unrestricted access to Citrix Secure Private Access resources or Citrix DaaS resources.
• Non-Compliant devices - A device that meets the pre-configured policy requirements and is allowed to log in into the company’s network with partial or restricted access to Citrix Secure Private Access resources or Citrix DaaS resources.