Citrix Virtual Apps and Desktops

USB devices

Introduction

The generic USB redirection feature allows redirection of USB devices from client machines to HDX sessions giving end users the ability to interact with a wide selection of generic USB devices in their HDX session. This is helpful in scenarios where users need to use speciality devices that don’t have optimized support or where it is unsuitable.

Note: USB Devices not optimized for virtual channel support will fall back to the Generic USB virtual channel using raw USB redirection.

How does it work?

Generic USB redirection works at a low level and redirects USB request and response messages between client machines and XenDesktop virtual desktop.

It avoids the requirement for compatible device drivers on the client machine and the driver is expected to be supported on the virtual desktop only. USB redirection policy rules follow a certain order of precedence that allow client side policies and default rules to be honored after DDC policy rules have been evaluated and enforced. This allows Citrix admins to prevent any unauthorized/spoofed devices from being redirected inside a session.

Additionally, event logging of unauthorized devices attempting to access the remote session can be audited and flagged and admins can take additional action to prevent data exfiltration.

When a user plugs in a USB device, the session host checks it against each policy rule consecutively until a match is found. The first match for any device is considered definitive.

  • If the first match is an Allow rule, the device is redirected to the virtual desktop.
  • If the first match is a Deny rule, the device is not redirected to the session, and only available for use in the local user device. If no match is found, default rules are used.

USB_Intro

Compatibility with generic USB redirection

These Citrix Workspace apps support generic USB redirection:

For Citrix Workspace app versions, see the Citrix Workspace app feature matrix.

Performance considerations for USB devices

Network latency and bandwidth can affect user experience and USB device operation when using generic USB redirection for some types of USB devices. For example, timing-sensitive devices might not operate correctly over high-latency low-bandwidth links. Use optimized support instead where possible.

Some USB devices require high bandwidth to be usable, for example a 3D mouse (used with 3D apps that also typically require high bandwidth). If bandwidth cannot be increased, you might be able to mitigate the issue by tuning bandwidth usage of other components using the bandwidth policy settings. For more information, see Bandwidth policy settings for Client USB device redirection, and Multi-stream connection policy settings.

Security considerations for USB devices

Some USB devices are security-sensitive by nature, for example, smart card readers, fingerprint readers, and signature pads. Other USB devices such as USB storage devices can be used to transmit data that might be sensitive.

USB devices are often used to distribute malware. Configuration of Citrix Workspace app and Citrix Virtual Apps and Desktops can reduce, but not eliminate, risk from these USB devices. This situation applies whether generic USB redirection or optimized support is used.

Important:

For security-sensitive devices and data, always secure the HDX connection, see Communication between client and VDA.

Only enable support for the USB devices that you need. Configure both generic USB redirection and optimized support to meet this need.

Provide guidance to users for safe use of USB devices:

  • Use only USB devices that have been obtained from a trustworthy source.
  • Don’t leave USB devices unattended in open environments - for example, a flash drive in an internet cafe.
  • Explain the risks of using a USB device on more than one computer.

Security controls for USB mass storage devices

Optimized support is provided for USB mass storage devices. This support is part of Citrix Virtual Apps and Desktops client drive mapping. Drives on the user device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders that have mapped drive letters. To configure client drive mapping, use the Client removable drives setting. This setting is in the File Redirection policy settings section of the ICA policy settings.

With USB mass storage devices you can use either Client drive mapping or generic USB redirection, or both. Control them using Citrix policies. The main differences are:

Feature Client drive mapping Generic USB redirection
Enabled by default Yes No
Read-only access configurable Yes No
Encrypted device access Yes, if encryption is unlocked before the device is accessed Yes
BitLocker To Go devices No No
Safe to delete device during a session No Yes, provided users follow operating system recommendations for safe removal

If both generic USB redirection and the client drive mapping policies are enabled and a mass storage device is inserted either before or after a session starts, it is redirected using client drive mapping. When both generic USB redirection and the client drive mapping policies are enabled and a device is configured for automatic redirection and a mass storage device is inserted either before or after a session starts, it is redirected using generic USB redirection.

Note:

USB redirection is supported over lower bandwidth connections, for example 50 Kbps. However, copying large files doesn’t work.

USB devices