Configuration
Clipboard redirection is controlled through Citrix policies. These policies offer a range of settings to fine-tune the clipboard redirection behavior.
By default, bidirectional clipboard redirection is enabled: users can copy and paste data from their Citrix session to their local endpoint and vice versa.
Core Setting
The core clipboard redirection configuration is the ‘Client clipboard redirection policy’. This policy controls whether clipboard redirection is allowed. By default, clipboard redirection is allowed.
Disabling clipboard redirection can improve security by preventing accidental or malicious transfer of sensitive data outside the Citrix virtual environment. It also helps in preventing the introduction of potentially harmful data into the Citrix environment via the clipboard. However, this may negatively affect the end-user experience.
To prohibit clipboard redirection, set the ‘Client clipboard redirection policy’ to ‘prohibited’:
If set to Prohibited, clipboard redirection is disabled entirely and all other clipboard-related policies are ignored.
Users can still copy and paste data between applications running inside their Citrix sessions and on their local endpoint device; however, copying and pasting from and to their Citrix session is not available.
Directional clipboard control
With directional clipboard control, admins have granular control over the direction of clipboard data flow. This is also known as unidirectional clipboard control.
There are two primary modes of unidirectional control available:
-
Client-to-session: In this configuration, the ‘Restrict client clipboard write’ policy is used, and clipboard data is permitted to flow exclusively from the user’s endpoint device (client) to the remote Citrix session. This means that users can copy information from their local machine and paste it into applications running within the Citrix session, but they cannot copy data from the Citrix session and paste it back to their local machine. This mode is beneficial for scenarios where data leakage from the secure session to the less-controlled endpoint is a significant concern.
-
Session-to-client: In this configuration, the ‘Restrict session clipboard write policy’ allows clipboard data to flow exclusively from the Citrix session to the client device. Users can copy information from applications within the remote session and paste it onto their local machine, but they are prevented from copying data from their local machine and pasting it into the Citrix session. This setting is often used when the primary goal is to prevent the introduction of potentially malicious or unauthorized data from the endpoint into the secure Citrix environment.
The following table describes the Citrix clipboard policies for unidirectional clipboard control:
| Clipboard Directionality | Clipboard Policies |
|---|---|
| Bidirectional - Session to Client and Client to Session | Client clipboard redirection: Enabled (Default) |
| Unidirectional - Client to Session only | Client clipboard redirection: Enabled (Default) |
| Restrict client clipboard write: Enabled | Unidirectional - Session to Client only |
| Client clipboard redirection: Enabled (Default) | Restrict session clipboard write: Enabled |
In the example above, both directional clipboard policies are highlighted, and in this configuration, only client-to-session clipboard redirection is permitted because the ‘Restrict client clipboard write’ setting is set to ‘Enabled’.