About this release
What’s new in 1912
Cumulative Update 3 (CU3) is the most recent update to the 1912 LTSR.
App protection policies work by filtering access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). This means that app protection policies can provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.
App protection is an add-on feature that provides enhanced security when using Citrix Virtual Apps and Desktops. The feature restricts the ability of clients to be compromised by keylogging and screen capturing malware. App protection prevents exfiltration of confidential information such as user credentials and sensitive information displayed on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information.
Citrix recommends that you only use the native Citrix Workspace app to launch a protected session.
App protection is configured between StoreFront and the Controller using the Controller. For information about configuring app protection on the Controller, see App protection in Citrix Virtual Apps and Desktops documentation. This configuration is then applied to Citrix Workspace app by including the app protection component using any of the following methods:
- Graphical user interface
- Command-line interface
You can include the app protection component both during the Citrix Workspace app installation or on-demand installation.
- This feature is supported only on Microsoft Windows Desktop operating systems such as Windows 10, Windows 8.1, and Windows 7.
- This feature is not supported over Remote Desktop Protocol (RDP).
For information about configuring app protection in Citrix Workspace app, see App protection.
Enhancement to app protection
Previously, when you are trying to take a screenshot of a protected window, the entire screen, including the non-protected apps in the background, are blacked out.
Now, when you are taking a screenshot using a snipping tool, only the protected window is blacked out or hidden. You can take a screenshot of the area outside the protected window except in non-Aero mode where the entire screen is blacked out.
However, if you are using the PrtScr key to capture a screenshot, you must exit the Citrix Workspace app.
Additionally, this release addresses issues to improve the app protection feature.
In earlier releases, if an administrator tried to install Citrix Workspace app on a system that has a user-installed instance of the app, the installation was blocked.
With this release, the administrators can now override the user-installed instance of Citrix Workspace app and continue with the installation successfully.
Enhancement to Citrix Workspace Updates
In earlier releases, if Citrix Workspace app is installed by an administrator, a non-administrator could not update it.
With this release, a non-administrator can update Citrix Workspace app on an admin-installed instance. You can do that by right-clicking the Citrix Workspace app icon in the notification area and selecting Check for Updates.
The Check for Updates option is now available on both the user-installed and the admin-installed instances of Citrix Workspace app.
Support for outbound proxy
Smart Control allows administrators to define granular policies to configure and enforce user environment attributes for Citrix Virtual Apps and Desktops using Citrix Gateway. For instance, you might want to prohibit users from mapping drives to their remote desktops. This can be achieved using the Smart Control feature on Citrix Gateway.
However, the scenario changes when Citrix Workspace app and Citrix Gateway belong to separate enterprise accounts. In such scenarios, the client domain cannot apply the Smart Control feature because the gateway does not exist on the client domain. Instead, you can leverage the, Outbound ICA Proxy. Outbound ICA Proxy lets you use the Smart Control feature even when Citrix Workspace app and Citrix Gateway are deployed in different organizations.
Citrix Workspace app supports session launches using the Citrix ADC LAN proxy. Either a single, static proxy can be configured or the proxy server can be selected at runtime using the outbound proxy plug-in.
You can configure outbound proxies using the following methods:
- Static proxy: Proxy server is configured by providing a proxy host name and port number.
- Dynamic proxy: A single proxy server can be selected among one or more proxy servers using the proxy plug-in DLL.
You can configure the outbound proxy using the Group Policy Object administrative template and the Registry editor.
For more information about outbound proxy, see Outbound ICA Proxy support in the Citrix Gateway documentation.
For more information about configuring outbound proxy in Citrix Workspace app, see Outbound proxy.
Citrix Embedded Browser binaries
This release no longer installs the Citrix Embedded Browser. In cases where you upgrade to Version 1912, the Citrix Embedded Browser is removed.
In the absence of Citrix Embedded Browser, the following functionalities change:
- Browser content redirection does not function.
- SaaS and Web apps are not launched using the Citrix Embedded Browser. Instead they are launched in the Citrix Secure Browser Service.
Enhancement to desktop sharing with Microsoft Teams
When you share your workspace using Microsoft Teams, Citrix Workspace app displays a red border that surrounds the area of the monitor that is currently being shared. You can share only the Desktop Viewer window, or any local window overlaid on top of it. When you minimize the Desktop Viewer window, screen sharing is paused.
Endpoint encoder performance estimator on Microsoft Teams
When the HdxTeams.exe process (the WebRTC media engine embedded in Citrix Workspace app that handles Microsoft Teams redirection)is launched, it estimates the best encoding resolution that the endpoint’s CPU can sustain without overloading. Possible values are 240p, 360p, 720p and 1080p.
The performance estimation process (also called
webrtcapi.EndpointPerformance) runs when HdxTeams.exe initializes. The macroblock code determines the best resolution that can be achieved with the particular endpoint. The highest possible resolution is then included during the codec negotiation between the peers, or between the peer and the conference server.
For information on configuring endpoint encoder, see Endpoint encoder performance estimator on Microsoft Teams.
For information, see Optimization for Microsoft Teams in Citrix Virtual Apps and Desktops documentation.
Enhancement to Citrix Analytics Service
With this release, Citrix Workspace app is instrumented to securely transmit the public IP address of the most recent network hop to Citrix Analytics Service. This data is collected per session launch. It helps Citrix Analytics Service to analyze whether poor performance issues are tied to specific geographic areas. By default, the IP address logs are sent to Citrix Analytics Service. However, you can disable this option on the Citrix Workspace app using the Registry editor.
To disable IP address log transmissions, navigate to the following registry path and set the
SendPublicIPAddress key to Off.
- On 64-bit Windows machines, navigate to :
- On 32-bit Windows machines, navigate to:
- Although Citrix Workspace app transmits every IP address that it is launched on, IP address transmissions are best-case efforts. Some of the addresses might not be accurate.
- In closed customer environments, where the endpoints are operating within an intranet, ensure that the URL
https://locus.analytics.cloud.com/api/locateipis whitelisted on the endpoint.
For more information on how Performance Analytics uses this information, see Self-Service for Performance.