App protection

App protection is an add-on feature that provides enhanced security when using Citrix Workspace app. Two policies provide anti-keylogging and anti-screen-capturing capabilities in a session. The policies along with Citrix Workspace app 1912 or later for Windows can help protect data from keyloggers and screen scrapers.

After purchasing this feature, ensure you enable the app protection license and the app protection policies and import the FeatureTable.OnPrem.AppProtection.xml feature table.


  • If you connect from an older version of Citrix Workspace app, or from Citrix Receiver, these policies are not enabled.
  • Only workstation operating systems support app protection.

Feature table file

By default, app protection is turned off. To enable the feature, use the Import-ConfigFeatureTable cmdlet to import the FeatureTable.OnPrem.AppProtection.xml feature table, which has app protection enabled.

The Components section on the Citrix Virtual Apps and Desktops 1912 download page contains the required XML file. You must have a Citrix account to download the file.

To verify that app protection is enabled, run - Get-ConfigEnabledFeature | Select-String AppProtection.


App protection requires you install an add-on license on your License Server. A Citrix Virtual Desktops license must be present.

  1. Get the add-on app protection license using the same process you used for your Citrix Virtual Apps and Desktops 1912 license.
  2. Use the Citrix Licensing Manager to import the license file (preferred). Or copy the license file to C:\Program Files (x86)\Citrix\Licensing\MyFiles on the License Server and restart the Citrix Licensing service.

Properties for the app protection for Delivery Groups

Enable the following properties for the app protection Delivery Group using the PowerShell SDK:

  • AppProtectionKeyLoggingRequired: True
  • AppProtectionScreenCaptureRequired: True


Set-BrokerDesktopGroup -Name group_name -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true

To validate, run this cmdlet:

Get-BrokerDesktopGroup -Property Name,AppProtectionKeyLoggingRequired,AppProtectionScreenCaptureRequired

In addition, enable XML trust:

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Ensure that you secure the network between the StoreFront and the Broker. For more information, see Knowledge Center article