Product documentation
Citrix Secure Private Access
2405 - Current Release 2402 2311 2308 Legacy Service
View PDF

Access restriction options

July 16, 2024
Contributed by: 
C C

When you select the action Allow access with restrictions while creating an access policy, you can select the access restrictions. These restrictions are predefined in the system. Admins cannot modify or add other combinations. For details on creating an access policy and enabling access restrictions, see Configure an access policy.

Access restrictions

Clipboard

Enable/disable cut/copy/paste operations on a SaaS or internal web app with this access policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Copy

Enable/disable copying of data from a SaaS or internal web app with this access policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Note:

  • If both Clipboard and Copy restrictions are enabled in a policy, the Clipboard restriction takes precedence over the Copy restriction.
  • End users must use Citrix Enterprise Browser version 2405 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.
  • For granular control of copy operation within the apps, admins can use the Security groups restriction. For details, see Clipboard restriction for security groups.

Download restriction by file type

Enable/Disable the user’s ability to download specific MIME (file) type from within the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser.

Note:

  • The Download restriction by file type restriction is available in addition to the Download restriction.
  • If both Downloads and Download restriction by file type restrictions are enabled in a policy, the Downloads restriction takes precedence over the Download restriction by file type restriction.
  • End users must use Citrix Enterprise Browser version 2405 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.

To enable downloading of MIME types, perform the following steps:

  1. Create or edit an access policy. For details, see Create access policies.
  2. In the Step 3: Action page, select Allow with restrictions.
  3. Click Download restriction by file type and then click Edit.

  4. In the Download restriction by file type settings page, select one of the following:

    • Allow all downloads with exceptions – Select the types that must be blocked and allow all other types.
    • Block all downloads with exceptions – Select only the types that can be uploaded and block all other types.

  5. If the file type does not exist in the list, then do the following:

    1. Click Add custom MIME types.
    2. In Add MIME types, enter the MIME type in the format category/subcategory<extension>. For example image/png.
    3. Click Done.

    The MIME type now appears in the list of exceptions.

When an end user tries to download a restricted file type, Citrix Enterprise Browser displays the following message:

Download

Downloads

Enable/disable the user’s ability to download from within the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Note:

If both Downloads and Download restriction by file type restrictions are enabled in a policy, the Downloads restriction takes precedence over the Download restriction by file type.

Keylogging protection

Enable/disable keyloggers from capturing keystrokes from the SaaS or internal web app with this access policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Paste

Enable/disable pasting of copied data into the SaaS or internal web app with this access policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Note:

  • If both Clipboard and Paste restrictions are enabled in a policy, the Clipboard restriction takes precedence over the Paste restriction.
  • End users must use Citrix Enterprise Browser version 126 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.
  • For granular control of paste operation within the apps, admins can use the Security groups restriction. For details, see Clipboard restriction for security groups.

Personal data masking

Enable/disable redacting or masking personally identifiable information (PII) on the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser. The personal identifiable information can be credit card numbers, social security numbers, dates, and so on. You can also define custom rules for detecting specific types of sensitive information and masking it accordingly. The Personal data masking restrictions also provide an option to fully or partially mask the information.

Note:

End users must use Citrix Enterprise Browser version 2405 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.

To redact or mask personally identifiable information, perform the following steps:

  1. Create or edit an access policy. For details, see Create access policies.
  2. In the Step 3: Action page, select Allow with restrictions.
  3. Click Personal data masking and then click Edit.

  4. Select the information type that you want to obscure or mask and then click Add.

    If the information type does not appear in the pre-defined list, then you can add a custom information type. For details, see Add custom information type.

  5. Select the masking type.

    • Full masking – Completely cover the sensitive information to make it unreadable.

    • Partial masking – Partially cover the sensitive information. Only the relevant sections are covered leaving the rest intact.

      When you select Partial marking, you must select characters starting from the beginning or the end of the document. You must enter the numbers in the First masked characters and Last masked characters fields.

      The Preview field displays the masking format. This preview is not available for custom policies.

  6. Click Save and then click Done.

Add custom information type

You can add a custom information type by adding the information type’s regular expression.

  1. In Select Information type, select Custom, and then click Add.
  2. In Field name, enter the name for the information type that you want to mask.
  3. In Number of characters, enter the number of characters of the information type.
  4. In Regular Expression (RE2 library), enter the expression for the custom information type. For example, ^4[0-9]{12}(?:[0-9]{3})?$.
  5. Select the masking type, if you want to mask the complete information or the first or last few characters.
  6. Click Save, and then click Done.

Masking 1

The following figure displays a sample app in which the PII is masked. The figure also displays the notification related to masking of the PII.

Masking 2

Printing

Enable/disable printing data from the configured SaaS or Internal web apps with this policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

The following message appears when an end user tries to print content from the application for which the printing restriction is enabled.

Printing 2

Note:

If both Printing and Printer management restrictions are enabled in a policy, the Printing restriction takes precedence over the Printer management restriction.

Printer management

Enable/disable printing data by using the admin-configured printers from the configured SaaS or internal web apps with this policy when accessed via Citrix Enterprise Browser.

Note:

  • The Printer management restriction is available in addition to the Printing restriction where printing is either enabled or disabled. If both Printing and Printer management restrictions are enabled in an access policy, the Printing restriction takes precedence over the Printer management restriction.
  • End users must use Citrix Enterprise Browser version 2405 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.

To enable/disable printing restrictions, perform the following steps:

  1. Create or edit an access policy. For details, see Create access policies.
  2. In the Step 3: Action page, select Allow with restrictions.
  3. Click Printer management and then click Edit.

Printing 1

  1. Select the exceptions as per your requirement.

    • Network printers - A network printer is a printer that can be connected to a network and used by multiple users.
      • Disabled: Printing from any network printers in the network is disabled.
      • Enabled: Printing from all network printers is enabled. If printer host names are specified, then all other network printers apart from the ones specified are blocked.

      Note: Network printers are identified by their host names.

    • Local printers - A local printer is a device directly connected to an individual computer through a wired connection. This connection is typically facilitated through USB, parallel ports, or other direct interfaces.
      • Disabled: Printing from all local printers is disabled.
      • Enabled: Printing from all local printers is enabled.
    • Print using Save as PDF
      • Disabled: Saving the content from the application in a PDF format is disabled.
      • Enabled: Saving the content from the application in a PDF format is enabled.

  2. Click Save.

If a network printer is disabled, then the specific printer name appears grayed out when end users try to select the printer in the Destination field.

Also, if Print using save as PDF is disabled, then when you click the See more link in the Destination field, the Save as PDF option appears grayed out.

If the end users rename the network printers, then they cannot use the network printer.

Printing 3

Screen capture

Enable/disable the ability to capture the screens from the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured. Default value: Enabled.

Upload restriction by file type

Enable/disable the user’s ability to download specific MIME (file) type from the SaaS or internal web app with this policy when accessed via Citrix Enterprise Browser.

Note:

  • The Upload restriction by file type restriction is available in addition to the Upload restriction.
  • If both Upload and Upload restriction by file type restrictions are enabled in a policy, the Uploads restriction takes precedence over the Upload restriction by file type restriction.
  • End users must use Citrix Enterprise Browser version 2405 or later for accessing applications for which this restriction is enabled. Else, the application access is restricted.

To enable/disable uploading of MIME types, perform the following steps:

  1. Create or edit an access policy. For details, see Create access policies.
  2. In the Step 3: Action page, select Allow with restrictions.
  3. Click Upload restriction by file type and then click Edit.

  4. In the Upload restriction by file type settings page, select one of the following:

    • Allow all uploads with exceptions – Upload all files except the selected types.
    • Block all uploads with exceptions – Blocks all file types from uploading except the selected types.

  5. If the file type does not exist in the list, then do the following:

    1. Click Add custom MIME types.
    2. In Add MIME types, enter the MIME type in the format category/subcategory<extension>. For example image/png.
    3. Click Done.

    The MIME type now appears in the list of exceptions.

When an end user tries to upload a restricted file type, Citrix Enterprise Browser displays a warning message.

Upload

Uploads

Enable/disable the user’s ability to upload within the SaaS or internal web app configured with this policy when accessed via Citrix Enterprise Browser. Default value: Enabled.

Note:

If both Uploads and Upload restriction by file type restrictions are enabled in a policy, the Uploads restriction takes precedence over the Upload restriction by file type.

Watermark

Enable/disable the watermark on the user’s screen displaying the user name and IP address of the user’s machine. Default value: Disabled.

Clipboard restriction for security groups

You can restrict clipboard access to any designated group of apps. These designated groups of apps are created as security groups so that the end users are permitted to copy and paste contents only within that security groups. To enable clipboard access within the apps in a security group, you must just have an access policy configured with the action allow or allow with restrictions without selecting any access setting.

  • When the Security groups restriction is enabled, you cannot copy / paste data between applications in different security groups. For example if the app “ProdDocs” belongs to security group “SG1” and the app “Edocs” belong to security group “SG2”, you cannot copy / paste content from “Edocs” to “ProdDocs” even if Copy / Paste restriction is enabled for both groups.

  • For apps not part of a security group, you can have an access policy created with action allow with restrictions and selecting the restrictions (Copy, Paste, or Clipboard). In this case, the app is not part of a security group and the Copy / Paste restriction can be applied on that app.

Note:

You can also restrict clipboard access for apps accessed via Citrix Enterprise Browser through the Global App Configuration service (GACS). If you are using GACS to manage Citrix Enterprise Browser, then use the Enabled Sandboxed Clipboard option to manage the clipboard access. When you restrict clipboard access through GACS, it applies to all apps accessed via Citrix Enterprise Browser.

To create a security group, perform the following steps:

  1. In the Secure Private Access console, click Applications and then click Security groups.
  2. Click Add a new security group.

Security group

  1. Enter a name for the security group.
  2. In Add web or SaaS applications, choose the applications that you want to group together to enable the copy and paste control. For example, Wikipedia, Pinterest and Dribble.
  3. Click Save.

For details on Advanced clipboard settings, see Enable copy / paste controls for native applications and unpublished apps.

When end users launch these applications (Wikipedia, Pinterest and Dribble) from Citrix Workspace, they must be able to share data (copy / paste) from one application to the other applications within the security group. The copy / paste occurs irrespective of other security restrictions that are already enabled for the applications.

However, end users cannot copy and paste content from their local applications on their machines or unpublished applications to these designated applications and conversely. The following notification appears when content is copied from the designated application into another application:

Paste error

Note:

You can copy and paste the contents between the apps in a security group and other local apps on the machines or unpublished web apps by using the options in Advanced clipboard settings. For details, see Enable copy / paste controls for native applications and unpublished apps.

Enable granular level clipboard access

You can enable granular level clipboard access within the applications in a designated group. You can do so by creating access policies for the applications and enabling the Copy / Paste restriction as per your requirement.

Note:

Ensure that the specific access policy that you have created for granular level clipboard access has a higher priority than the policy that you have created for the security groups.

Example:

Consider that you have created a security group with three applications namely, Wikipedia, Pinterest, and Dribble.

Now, you want to restrict pasting of content from Wikipedia or Dribble into Pinterest. To do so, perform the following steps:

  1. Create or edit an access policy assigned for the application Pinterest. For details on creating an access policy, see Create access policies.
  2. In the Step 3: Action page, select Allow with restrictions.
  3. Select Paste.

Although Pinterest is part of a security group which also contains Wikipedia and Dribble, users cannot copy content from Wikipedia or Dribble to Pinterest because of the access policy associated with Pinterest in which the Paste restriction is disabled.

Paste error2

Enable copy / paste controls for native applications and unpublished apps

You can copy and paste the contents between the apps in a security group and other local apps on the machines or unpublished web apps by using the options in Advanced clipboard settings

  1. Create a security group. For details, see Create security groups.

  2. Expand Advanced clipboard settings.

    Advance options

  3. Select any of the following options as per your requirement:

    • Allow copying of data from the security group to unpublished domains – Enable copying of data from applications in the security groups to the apps that are not published in Secure Private Access.
    • Allow copying of data from the security group to native apps - Enable copying of data from the applications in the security groups to the local applications on your machines.
    • Allow copying of data from the unpublished domains to the security group – Enable copying of data from the apps not published through Secure Private Access to the applications in the security groups.
    • Allow copying of data from native apps operating system the security group - Enable copying of data from local applications on the machines to the applications.

Known issues

  • The routing table in (Settings > Application Domain) retains the domains of a deleted application. Hence, these applications are also considered as published applications in Secure Private Access. If these domains are accessed directly from Citrix Enterprise Browser, copy / paste is disabled from these applications irrespective of the options that you have selected in Advanced clipboard settings.

    For example, assume the following scenario:

    • You have deleted an application named Jira2 (https://test.citrite.net) that was part of a security group.
    • You have enabled the option Allow copying of data from the security group to unpublished domains.

    In this scenario, if the user tries to copy data from this application into another application in the same security group, the pasting control is disabled. A notification regarding the same is displayed to the user.

  • For a SaaS app, the app access can be denied if the application is configured with an access policy with action Deny access. The end users can still access the app because the app traffic is not tunneled through Secure Private Access. Also, if the application is part of the security group, the security group settings are not honored and hence you cannot copy /paste content from the application.

Access restriction options
July 16, 2024
Contributed by: 
C C
July 16, 2024
Contributed by: 
C C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.