This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
USB devices
Introduction
The generic USB redirection feature allows redirection of USB devices from client machines to HDX sessions giving end users the ability to interact with a wide selection of generic USB devices in their HDX session. This is helpful in scenarios where users need to use speciality devices that don’t have optimized support or where it is unsuitable.
Note: USB Devices not optimized for virtual channel support will fall back to the Generic USB virtual channel using raw USB redirection.
How does it work?
Generic USB redirection works at a low level and redirects USB request and response messages between client machines and XenDesktop virtual desktop.
It avoids the requirement for compatible device drivers on the client machine and the driver is expected to be supported on the virtual desktop only. USB redirection policy rules follow a certain order of precedence that allow client side policies and default rules to be honored after DDC policy rules have been evaluated and enforced. This allows Citrix admins to prevent any unauthorized/spoofed devices from being redirected inside a session.
Additionally, event logging of unauthorized devices attempting to access the remote session can be audited and flagged and admins can take additional action to prevent data exfiltration.
When a user plugs in a USB device, the session host checks it against each policy rule consecutively until a match is found. The first match for any device is considered definitive.
- If the first match is an Allow rule, the device is redirected to the virtual desktop.
- If the first match is a Deny rule, the device is not redirected to the session, and only available for use in the local user device. If no match is found, default rules are used.
Compatibility with generic USB redirection
These Citrix Workspace apps support generic USB redirection:
- Citrix Workspace app for Windows, see Citrix Workspace app for Windows.
- Citrix Workspace app for Mac, see Citrix Workspace app for Mac.
- Citrix Workspace app for Linux, see Citrix Workspace app for Linux.
- Citrix Workspace app for Chrome OS, see Citrix Workspace app for Chrome.
For Citrix Workspace app versions, see the Citrix Workspace app feature matrix.
Performance considerations for USB devices
Network latency and bandwidth can affect user experience and USB device operation when using generic USB redirection for some types of USB devices. For example, timing-sensitive devices might not operate correctly over high-latency low-bandwidth links. Use optimized support instead where possible.
Some USB devices require high bandwidth to be usable, for example a 3D mouse (used with 3D apps that also typically require high bandwidth). If bandwidth cannot be increased, you might be able to mitigate the issue by tuning bandwidth usage of other components using the bandwidth policy settings. For more information, see Bandwidth policy settings for Client USB device redirection, and Multi-stream connection policy settings.
Security considerations for USB devices
Some USB devices are security-sensitive by nature, for example, smart card readers, fingerprint readers, and signature pads. Other USB devices such as USB storage devices can be used to transmit data that might be sensitive.
USB devices are often used to distribute malware. Configuration of Citrix Workspace app and Citrix Virtual Apps and Desktops can reduce, but not eliminate, risk from these USB devices. This situation applies whether generic USB redirection or optimized support is used.
Important:
For security-sensitive devices and data, always secure the HDX connection, see Communication between client and VDA.
Only enable support for the USB devices that you need. Configure both generic USB redirection and optimized support to meet this need.
Provide guidance to users for safe use of USB devices:
- Use only USB devices that have been obtained from a trustworthy source.
- Don’t leave USB devices unattended in open environments - for example, a flash drive in an internet cafe.
- Explain the risks of using a USB device on more than one computer.
Security controls for USB mass storage devices
Optimized support is provided for USB mass storage devices. This support is part of Citrix Virtual Apps and Desktops client drive mapping. Drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders that have mapped drive letters. To configure client drive mapping, use the Client removable drives setting. This setting is in the File Redirection policy settings section of the ICA policy settings.
With USB mass storage devices you can use either Client drive mapping or generic USB redirection, or both. Control them using Citrix policies. The main differences are:
Feature | Client drive mapping | Generic USB redirection |
---|---|---|
Enabled by default | Yes | No |
Read-only access configurable | Yes | No |
Encrypted device access | Yes, if encryption is unlocked before the device is accessed | Yes |
BitLocker To Go devices | No | No |
Safe to delete device during a session | No | Yes, provided users follow operating system recommendations for safe removal |
If both generic USB redirection and the client drive mapping policies are enabled and a mass storage device is inserted either before or after a session starts, it is redirected using client drive mapping. When both generic USB redirection and the client drive mapping policies are enabled and a device is configured for automatic redirection and a mass storage device is inserted either before or after a session starts, it is redirected using generic USB redirection.
Note:
USB redirection is supported over lower bandwidth connections, for example 50 Kbps. However, copying large files doesn’t work.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.