Terminate active user sessions and add users to the disabled user list

Admins can terminate all active end user sessions immediately and add the users to the disabled user list. Adding a user to this disabled user list terminates all active Secure Private Access application sessions and blocks future application access.

All active application sessions via Citrix Enterprise Browser, direct access, CWA for HTML5, and the Secure Access agent are terminated and blocked. All resources connected through the Secure Access agent such as file shares, RDP, SSH sessions are terminated and blocked as well. Blocked users cannot launch any new applications until they are removed from the disabled user list.

Note:

• Adding a user to the disabled user list does not change or edit the configured Secure Private Access access policy. Access termination and blocking happen despite whatever access policy is configured. Once the user is removed from the list, the existing Secure Private Acccess access policies for the user are reinstated.
• Users are automatically removed from the disabled user list after 7 days.
• Only the access to published Secure Private Access applications is blocked. Internet access via Citrix Enterprise Browser is allowed or denied even after a user is added to the block list (based on your web filtering configuration).

Use cases

You can use this feature in the following scenarios.

• An employee quits the organization or is terminated from the organization. In this case, the admin revokes all Secure Private Access app access by terminating active Secure Private Access sessions and blocking any future app access.
• A device is lost or stolen. In this case, the access is blocked and all current sessions are terminated. The user can be removed from the disabled user list after the situation is under control.
• A user misuses the app access. In this case, access for the user can be immediately revoked. Access is blocked until the user is added to the list.

Add users to the disabled user list

1. Navigate to Secure Private Access > Access Policies and then click the Disable user access tab.
2. In Domain, select the domain for which the access must be disabled.
3. In User, search for the user name that must be added to the disabled user list. All user names that match the search criteria are displayed. If the user is removed from the directory service, then that user name does not appear in the User list.

4. Click Disable user access.

   The user is added to the disabled user list. The following actions occur once the user is added to the disabled user list:

   • All active Secure Private Access sessions are immediately terminated.
   • Future access to all Secure Private Access published applications is blocked.
   • Internet access via Citrix Enterprise Browser is allowed even after a user is added to the disabled user list. Only access to published Secure Private Access applications is blocked.
   • All disabled users are automatically removed from the disabled user list after 7 days. After removal, Secure Private Access access policies take precedence and access is reinstated.

You can use the Purge Selected option to remove users from the disabled user list.

You can use the Purge all entries now option to remove all users from the disabled user list.

Recommendations:

• To revoke access for a user indefinitely, remove the user from your respective directory service, such as Active Directory, and then add them to the disabled user list. This terminates the user’s active Secure Private Access session, blocks future app access, and once the user is logged out of Workspace, the user cannot log in again due to inactive directory credentials.
• The user is automatically removed from the disabled user list after 7 days, after which the existing Secure Private Access access policies are reinstated. If you want to extend blocking of access, then re-add the user to the list after 7 days.