App protection

App protection is an add-on feature for Citrix Workspace app that provides enhanced security when using Citrix Virtual Apps and Desktops published resources.

Two policies provide anti-keylogging and anti-screen-capturing capabilities in a Citrix HDX session. The policies along with a minimum of Citrix Workspace app 1912 for Windows or Citrix Workspace app 2001 for Mac can help protect data from keyloggers and screen scrapers.

Anti-keylogging when enabled:

  • A keylogger sees nonsense keystrokes.
  • This feature is active only when a protected window is in focus.

Anti-screen-capturing when enabled:

  • Screen capture is a blank screen.
  • This feature is active when a protected window is visible (not minimized).

You configure the policies through PowerShell only. There is no GUI administration capability.

After purchasing this feature, ensure you enable the app protection license and the app protection policies and import the FeatureTable.OnPrem.AppProtection.xml feature table.

Disclaimer:

App protection policies work by filtering access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). This means that app protection policies can provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

Limitations

These limitations exist by design:

  • No feature support for double-hop scenarios. For example, launching a published app from within a published desktop.
  • No feature support for app protection on a Remote Desktop Protocol (RDP) connection.
  • No feature support when using an unsupported version of Citrix Workspace app or Citrix Receiver.
  • To capture the screenshot of any non-Citrix Workspace app window, users must first minimize the protected window.
  • For app protection to work properly, disable the Citrix clipboard redirection policy on the VDA.

Expected behavior

The expected behaviors depend on how you access the StoreFront store that contains protected resources. You can access the resources using a supported native Citrix Workspace app client.

  • Behavior on StoreWeb - Applications with app protection policies are not enumerated on StoreFront web stores.
  • Behavior on unsupported Citrix Receivers or Citrix Workspace apps - Applications with app protection policies are not enumerated.
  • Behavior on supported Citrix Workspace app versions - Protected resources enumerate and start properly.

What does app protection protect?

To capture the screenshot of any non-Citrix Workspace app window, users must first minimize the protected window.

By default, app protection protects the following Citrix windows:

  • Citrix logon windows

Citrix logon window - protected

  • Citrix Workspace app HDX session windows (example, managed desktop)

Citrix managed desktop window - protected

  • Self-Service (Store) windows

Citrix Self-Service (Store) window - protected

What doesn’t app protection protect?

The items under the Citrix Workspace apps icon in the navigation bar:

  • Connections Center
  • All links under Advanced Preferences
  • Personalize
  • Check for Updates
  • Sign Out

System requirements

Minimum versions of Citrix components:

  • Citrix Workspace app 1912 for Windows Long Term Service Release
  • Citrix Workspace app 2002 for Windows
  • Citrix Workspace app 2001 for Mac
  • StoreFront 1912
  • Delivery Controller 1912
  • Valid Citrix licenses
    • App protection add-on license
    • Citrix Virtual Apps and Desktops 1912

Operating system platforms:

These operating systems are supported on the endpoint. The VDA supports all operating systems.

  • Windows 10
  • Windows 8.1
  • Windows 7
  • macOS High Sierra (10.13) and higher

Configure

After purchasing the app protection, follow these steps to fully configure and enable the feature:

  1. Import the app protection license.
  2. Configure the Workspace app.
  3. Import the FeatureTable.OnPrem.AppProtection.xml feature table.
  4. Enable the feature on the StoreFront server.
  5. Enable the app protection policies on the Delivery Controllers.
  6. Disable clipboard redirection on app protected VDAs.

1. Licensing

App protection requires that you install an add-on license on the Citrix License Server. A minimum Citrix Virtual Desktops 1912 version license must be present. Contact a Citrix Sales Representative to purchase the app protection add-on license.

  1. Download the license file and import it into the Citrix License Server alongside an existing Citrix Virtual Desktops license.
  2. Use the Citrix Licensing Manager to import the license file (preferred method) or copy the license file to C:\Program Files (x86)\Citrix\Licensing\MyFiles on the License Server and restart the Citrix Licensing service. For more information, see Import license files.

2. Citrix Workspace app

Configure app protection on the Citrix Workspace app.

Citrix Workspace app for Windows:

You can include the app protection component with the Citrix Workspace app using the following methods:

  • During Citrix Workspace app installation.
  • Using the command-line interface after the Citrix Workspace app installation.

Ensure the Citrix Workspace app was installed with the /includeappprotection switch enabled.

For more information, see App protection.

Citrix Workspace app for Mac:

App protection requires no specific configuration on Citrix Workspace app for Mac.

3. Feature table file

After you purchase the app protection feature, enable the app protection license and the app protection policies, and import the FeatureTable.OnPrem.AppProtection.xml feature table.

The Components section on the Citrix Virtual Apps and Desktops 1912 or later download page contains the required XML file. You must have a Citrix account to download the file.

By default, app protection is disabled. To enable the feature, use the Import-ConfigFeatureTable cmdlet to import the FeatureTable.OnPrem.AppProtection.xml feature table, which has app protection enabled. Run the cmdlet once for the whole site. For more information, see Import-Configfeaturetable.

Import-ConfigFeatureTable –Path .\FeatureTable.OnPrem.AppProtection.xml

You can run the cmdlet on any installed Delivery Controller machine or on a machine with a stand-alone Studio installed that has the FMA PowerShell snap-ins installed.

To verify that app protection is enabled, run Get-ConfigEnabledFeature | Select-String–Pattern ‘AppProtection’.

4. StoreFront Server

To enable the enumeration and launching of protected resources, run the following PowerShell command on the StoreFront server: Add-STFFeatureState -Name "Citrix.StoreFront.AppProtectionPolicy.Control" -IsEnabled $True

In a multiple-server StoreFront deployment, you must manually propagate these changes to all the other servers in the server group. For more information, see Propagate local changes to a server group.

To verify that the feature is enabled on a StoreFront server, use the following PowerShell command:

Get-STFFeatureState -Name "Citrix.StoreFront.AppProtectionPolicy.Control

5. Delivery Groups

Enable the following properties for the app protection Delivery Group using the PowerShell SDK on any installed Delivery Controller machine or on a machine with a stand-alone Studio installed that has the FMA PowerShell snap-ins installed.

  • AppProtectionKeyLoggingRequired: True
  • AppProtectionScreenCaptureRequired: True

You can enable each of these policies individually per Delivery Group. For example, you can configure keylogging protection only for DG1, and screen capture protection only for DG2. You can enable both policies for DG3.

Example:

To enable both policies for a Delivery Group named DG3, run the following command on any Delivery Controller in the site:

Set-BrokerDesktopGroup -Name DG3 -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true

To validate the settings, run this cmdlet:

Get-BrokerDesktopGroup -Property Name, AppProtectionKeyLoggingRequired, AppProtectionScreenCaptureRequired | Format-Table -AutoSize

In addition, enable XML trust:

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Ensure that you secure the network between the StoreFront and the Broker. For more information, see Knowledge Center articles CTX236929 and Securing the XenApp and XenDesktop XML Service.

6. VDA policy

Disable the client clipboard redirection policy on the VDAs that will deliver protected apps. For more information, see Client clipboard redirection.

You can disable the client clipboard redirection policy by editing the policy in Citrix Studio, in the Group Policy Object, or with a registry edit. For more information, see Work with policies.

Troubleshoot

Applications are not enumerating or not starting:

  • Confirm the affected user is using a supported version of Citrix Workspace app.
  • Ensure the feature is enabled on the StoreFront server.
  • Ensure the Delivery Group has the proper features enabled.

App protection policies are not applying properly:

  • Ensure the feature is enabled on StoreFront.
  • Ensure the Delivery Group has the proper features enabled.
  • Ensure the feature is installed on the endpoint.
  • Ensure the affected user is using a supported Citrix Workspace app version.
  • Ensure the Citrix Workspace app was installed with the /includeappprotection switch enabled.
  • Verify the VDA has the clipboard redirection policy disabled.

Screenshots not working on non-Citrix windows:

  • Minimize or close the protected Citrix windows.