App Protection

App Protection feature is an add-on feature that provides enhanced security when using Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). The feature restricts the ability of clients to compromise with keylogging and screen capturing malware. App Protection prevents exfiltration of confidential information such as user credentials and sensitive information on the screen. For more information, see App Protection documentation.


App Protection policies filter the access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.

To configure App Protection on Citrix Workspace app for Mac, see the Citrix Workspace app for Mac section in the Configuration article.


  • App Protection is supported only from Citrix Workspace app 2001 for Mac or later.

App Protection enhancement

Starting with the 2301 version, App Protection is enhanced to protect the Citrix Workspace app. This enhancement includes protecting the authentication screen and the screen that you see after signing into the Workspace app.

Support for screen sharing when App Protection is enabled

Starting with the 2402 version, you can share content through Microsoft Teams with HDX optimization, even when App Protection is enabled. With this feature, you can share a screen in the virtual desktop session to its full potential. For more information, see Compatibility with HDX optimization for Microsoft Teams.

Force login prompt for Federated identity provider

Citrix Workspace app now honors the Federated Identity Provider Sessions setting. For more information, see Citrix Knowledge Center article CTX253779.

You no longer need to use the Store authentication tokens policy to force the login prompt.

Inactivity timeout for Citrix Workspace app

The inactivity timeout feature logs you out of the Citrix Workspace app based on a value that the admin sets. Admins can specify the amount of idle time that is allowed before a user is automatically signed out of the Citrix Workspace app. You’re automatically signed out when no activity from the mouse, keyboard, or touch occurs for the specified interval of time, within the Citrix Workspace app window. The inactivity timeout does not affect the already running Citrix Virtual Apps and Desktops and Citrix DaaS sessions or the Citrix StoreFront stores.

The inactivity timeout value can be set starting from 1 minute to 1440 minutes. By default, the inactivity timeout isn’t configured. Admins can configure the inactivityTimeoutInMinutes property by using a PowerShell module. Click here to download the PowerShell modules for Citrix Workspace Configuration.

The end-user experience is as follows:

  • A notification appears three minutes before you’re signed out, with an option to stay signed in, or sign out. The notification appears if you’ve enabled Citrix Workspace app notifications in the system preferences of your Mac.
  • The notification appears only if the configured inactivity timeout value is greater than 5 minutes. For example, if the configured value is 6 minutes, a notification appears when 3 minutes of inactivity is detected. If the configured inactivity timeout value is less than or equal to 5 minutes, the user is signed out without a notification.
  • Users can click Stay signed in to dismiss the notification and continue using the app, in which case the inactivity timer is reset to its configured value. You can also click Sign-out to end the session for the current store.