Citrix Virtual Apps and Desktops

Contextual App Protection for StoreFront

Contextual App Protection provides the granular flexibility to apply the App Protection policies conditionally for a subset of users - based on users, their device, and the network posture.

Implementing Contextual App Protection

You can implement contextual App Protection using the connection filters defined in the Broker Access policy rule. The Broker Access policies define the rules controlling a user’s access to desktop groups. The policy comprises a set of rules. Each rule relates to a single desktop group, and contains a set of connection filters and access right controls.

Users gain access to a desktop group when their connection’s details match the connection filters of one or more rules in the Broker Access policy. Users don’t have access to any desktop group within a site by default. You can create additional Broker Access policies based on requirements. Multiple rules can apply to the same desktop group. For more information, see New-BrokerAssignmentPolicyRule.

The following parameters in the Broker Access policy rule provide the flexibility to enable App Protection contextually if the user’s connection matches the connection filters defined in the access policy rule:

  • AppProtectionKeyLoggingRequired
  • AppProtectionScreenCaptureRequired

Use the Smart Access filters referenced in the Broker Access policies to refine the connection filters. For information on configuring Smart Access filters, see this support article. Refer to the scenarios below to understand how to use the Smart Access policies to set up contextual app Protection.

Prerequisites

Ensure that you have the following:

  • Citrix Virtual Apps and Desktops version 2109 or later
  • Delivery Controller version 2109 or later
  • StoreFront version 1912 or later
  • Successful connection between NetScaler and StoreFront. For more information, see Integrate Citrix Gateway with StoreFront
  • XML table import for certain LTSR versions - Refer to step 1 below
  • Enable Smart Access on NetScaler Gateway, for scenarios that require Smart Access tags. For more information, see this support article.
  • Licensing requirements -
    • App Protection On-premises license
    • Citrix Gateway Universal license for scenarios with Smart Access tags

Enable Contextual App Protection

  1. Download the Contextual App Protection policies (feature table) for your Citrix Virtual Apps and Desktops version from the Citrix Downloads page.

  2. Run the following PowerShell commands in the delivery controller: asnp Citrix*Set-BrokerSite-TrustRequestsSentToTheXmlServicePort $true
  3. Run the following commands to enable contextual App Protection in the delivery controller: Import-ConfigFeatureTable <path to the downloaded feature table>.

    For example, Import-ConfigFeatureTable\Downloads\FeatureTable.OnPrem.AppProtContextualAccess.xml.

Enabling contextual App Protection - A few scenarios

Scenario 1: Enable App Protection for External users coming through the Access gateway

For every delivery group, two broker access policies are created by default. One for connections coming through the Access gateway, and the other for direct connections. You can enable App Protection only for the connections coming through the Access gateway.

The following steps are to enable App Protection for external users in the delivery group Admin_Desktop_Group, which contains a desktop called Admin_Desktop:

  1. Run the PowerShell command, Get-BrokerAccesspolicyRule from delivery controller. This gives you the two Broker Access policies defined for this group Admin_Desktop_Group_AG and Admin_Desktop_Group_Direct.

  2. To enable App Protection policies for Access Gateway connections, run the following command: Set-BrokerAccessPolicyRule Admin_Desktop_Group_AG -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true

  3. To disable App Protection policies for direct connections, run the following command: Set-BrokerAccessPolicyRule Admin_Desktop_Group_Direct -AppProtectionKeyLoggingRequired $false -AppProtectionScreenCaptureRequired $false

  4. Verification. Log out of Citrix Workspace app, if already open. Log back in to Citrix Workspace app. Launch the resource Admin_Desktop from an external connection through the access gateway. You will see that the App Protection policies are applied on the admin desktop.

Scenario 2: Disable App Protection for certain device types. For example, an iPhone

The following are the steps to disable App Protection for iPhone users on a delivery group called Win10Desktop.

Step 1: Create the Smart Access policy

  1. Log in to Citrix ADC Administration UI.
  2. On the left navigation menu, go to Citrix Gateway > Virtual Servers.

    Note the VPN Virtual Server name, which is needed to configure Broker Access Policy later on.

  3. Click VPN Virtual Server. Scroll to the bottom of the page and click Session policies. A list of session policies appears.
  4. Click Add Binding.

    Add binding

  5. Click Add to create a session policy.

    Create Citrix Gateway Session

  6. Enter a name for the session policy. In this case temp.

    Enter session policy name

  7. Click Add next to Profile to specify a Profile name. Click Create.

    Specify profile name

  8. Click Expression Editor from the Session policy window.
  9. Create the following expression to check for iPhone in the User Agent string: HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“iPhone”)

    Create expression

  10. Click Bind to create the session policy.

Step 2: Create the Broker access policy rules.

To apply the policy for iPhone users accessing Win10Desktop through the access gateway,

  1. Run the following command in the Delivery controller(DDC): Get-BrokerAccessPolicyRule, which lists all the Broker Access policies defined in the DDC. In this example, the Broker Access policies for the delivery group Win10Desktop are, Win10Desktop_AG and Win10Desktop_Direct. Note the desktop group UID of the delivery group for the next step.

  2. Create a broker access policy rule for Win10Desktop to filter iPhone users coming through the access gateway using the following command: New-BrokerAccessPolicyRule -Name Win10Desktop_AG_iPhone -DesktopGroupUid <Uid_of_desktopGroup> -AllowedConnections ViaAG -AllowedProtocols HDX, RDP -AllowedUsers AnyAuthenticated -AllowRestart $true -AppProtectionKeyLoggingRequired $false -AppProtectionScreenCaptureRequired $false -Enabled $true -IncludedSmartAccessFilterEnabled $true.

    Uid_of_desktopGroup is the DesktopGroupUID of the delivery group got by running the GetBrokerAccessPolicy Rule in step 1.

  3. To disable App Protection for Win10Desktop iPhone users coming through access gateway reference the Smart Access tag temp (created in Step 1: Create smart access policy) , use the following command:

  4. To disable App Protection for Win10Desktop iPhone users coming through access gateway, reference the Smart Access tag temp created in Step 1. Create Smart Access policy using the following command: Set-BrokerAccessPolicyRule Win10Desktop_AG_iPhone -IncludedSmartAccessTags Primary_HDX_Proxy:temp -AppProtectionScreenCaptureRequired $false -AppProtectionKeyLoggingRequired $false

    Primary_HDX_Proxy is the VPN virtual server name from earlier in Step 1, Create Smart Access Policy.

  5. To enable App Protection policies for the rest of the Win10desktop users, use the following command: Set-BrokerAccessPolicyRule Win10Desktop_AG -AppProtectionScreenCaptureRequired $true -AppProtectionKeyLoggingRequired $true

  6. Verification

    For iPhone: Log out of Citrix workspace app, if already open on iPhone. Login to Citrix Workspace App externally through access gateway connection. You should be able to see the required resource in StoreFront and App Protection should be disabled.

    For devices other than iPhone: Log out of Citrix workspace app, if already open on the device Login to Citrix Workspace App externally through access gateway connection. You should be able to see the required resource in storefront and App Protection should be disabled.

Scenario 3 - Disable App protection for connections started from browser-based access and enable App Protection for connections from Citrix Workspace app

The following steps are to disable App Protection for a delivery group called Win10Desktop when connections are started from a browser.

  1. Step 1: Create Smart Access policies

    1. Create a Smart Access policy to filter the connections started from the Citrix Workspace app, as defined in Scenario 2. Create the following expression, to check for CitrixReceiver in the User Agent string: HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”). In this case, the Smart Access policy is cwa.

      Create expression

    2. Create another Smart Access policy to filter the connections that aren’t started from the Citrix Workspace app, HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”).NOT. In this case, this Smart Access policy is browser.

      Create session policy

  2. Step 2: Create Broker Access policy rules

    1. Run GetBrokerAccessPolicyRule to view the two broker access policies for Win10Desktop. For the delivery group Win10Desktop, the broker access policies are Win10Desktop_AG and Win10Desktop_Direct. Note the Desktop Group UID of Win10Desktop.

    2. Create a Broker Access policy for Win10Desktop to filter connections started from the Citrix Workspace app.

      New-BrokerAccessPolicyRule -Name Win10Desktop_AG_CWA -DesktopGroupUid <Uid_of_desktopGroup> -AllowedConnections ViaAG -AllowedProtocols HDX, RDP -AllowedUsers AnyAuthenticated -AllowRestart $true -Enabled $true -IncludedSmartAccessFilterEnabled $true.

      Uid_of_desktopGroup is the DesktopGroupUID of the delivery group got by running the GetBrokerAccessPolicy Rule in step 1.

    3. Use the following command to enable App Protection policies only for connections coming through CWA by referencing the Smart Access tag cwa: Set-BrokerAccessPolicyRule Win10Desktop_AG_CWA -IncludedSmartAccessTags Primary_HDX_Proxy:cwa -AppProtectionScreenCaptureRequired $true -AppProtectionKeyLoggingRequired $true. Primary_HDX_Proxy is the VPN virtual server name noted down earlier in Step 1, Create Smart Access Policy.

    4. Use the following command to disable App Protection policies for the rest of the connections coming through the browser: Set-BrokerAccessPolicyRule Win10Desktop_AG -IncludedSmartAccessTags Primary_HDX_Proxy:browser -AppProtectionScreenCaptureRequired $false -AppProtectionKeyLoggingRequired $false.

    5. Verification. Log out of Citrix Workspace app, if already open. Log back in to Citrix Workspace app and launch the required resource from an external connection through access gateway. You see that the App Protection policies enabled for the resource. Launch the same resource from the browser through an external connection and you see that the App Protection policies disabled.

Scenario 4: Disable App Protection for users in a specific Active Directory group

The following steps are to disable App Protection for Win10Desktop users who are part of the Active Directory group xd.local\sales.

  1. Run GetBrokerAccessPolicyRule to view the two broker access policies for Win10Desktop. For a delivery group Win10Desktop there are two broker access policies, Win10Desktop_AG and Win10Desktop_Direct. Make a note of the Desktop Group UID of Win10Desktop.

  2. Create a Broker access policy rule for Win10Desktop to filter connections from users in the Active Directory group xd.local\sales.

    New-BrokerAccessPolicyRule -Name Win10Desktop_AG_Sales_Group -DesktopGroupUid <Uid_of_desktopGroup> -AllowedConnections ViaAG -AllowedProtocols HDX, RDP -AllowedUsers Filtered -AllowRestart $true -Enabled $true -IncludedSmartAccessFilterEnabled $true

    Uid_of_desktopGroup is the DesktopGroupUID of the delivery group got by running the GetBrokerAccessPolicy Rule in step 1.

  3. Use the following command to disable App Protection policies for the Windows 10 Desktop users, part of the AD group xd.local\sales: Set-BrokerAccessPolicyRule Win10Desktop_AG_Sales_Group -AllowedUsers Filtered -IncludedUsers xd.local\sales -IncludedUserFilterEnabled $true -AppProtectionScreenCaptureRequired $false -AppProtectionKeyLoggingRequired $false

  4. Use the following command to enable App Protection policies for the rest of the gateway connections except for the users from xd.local\sales: Set-BrokerAccessPolicyRule Win10Desktop_AG -AllowedUsers Anyauthenticated -ExcludedUserFilterEnabled $true -ExcludedUsers xd.local\sales -AppProtectionScreenCaptureRequired $true -AppProtectionKeyLoggingRequired $true
  5. Verification. Log out of Citrix Workspace app, if already open. Log in to Citrix Workspace app as a user in xd.local\sales Active Directory group. Launch the protected resource and you see that App Protection is disabled. Log out of Citrix Workspace app and log back in as a user who is not part of xd.local\sales. Launch the protected resource and you’ll see that App Protection is enabled.
Contextual App Protection for StoreFront