App Protection

App Protection feature is an add-on feature that provides enhanced security when using Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). The feature restricts the ability of clients to compromise with keylogging and screen capturing malware. App Protection prevents exfiltration of confidential information such as user credentials and sensitive information on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information. For more information, see App Protection


App Protection policies filter the access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

To configure App Protection on Citrix Workspace app for Windows, see the Citrix Workspace app for Windows section in the Configuration article.


App Protection is supported only on upgrade from Version 1912 onwards.

Improved ICA file security

This feature provides enhanced security while handling ICA files during a virtual apps and desktops session launch.

Citrix Workspace app lets you store the ICA file in the system memory instead of the local disk when you launch a virtual apps and desktops session.

This feature aims to eliminate surface attacks and any malware that might misuse the ICA file when stored locally. This feature is also applicable on virtual apps and desktops sessions that are launched on workspace for Web


ICA file security is also supported when Citrix Workspace or StoreFront is accessed through the web. Client detection is a prerequisite for the feature to work if it’s accessed through the web. If you’re accessing StoreFront using a browser, enable the following attributes in the web.config file on StoreFront deployments:

StoreFront Version Attribute
2.x pluginassistant
3.x protocolHandler

When you sign in to the store through the browser, click Detect Workspace App. If the prompt doesn’t appear, clear the browser cookies and try again.

If it’s a Workspace deployment, you can find the client detection settings by navigating to Accounts settings > Advanced > Apps and Desktops Launch Preference.

You can take extra measures so that sessions are launched only using the ICA file stored on system memory. Use any of the following methods:

  • Group Policy Object (GPO) Administrative template on the client.
  • Global App Config Service.
  • Workspace for web.

Using the GPO:

To block session launches from ICA files that are stored on the local disk, do the following:

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace > Client Engine.
  3. Select the Secure ICA file session launch policy and set it to Enabled.
  4. Click Apply and OK.

Using the Global App Config Service:

You can use Global App Config Service from Citrix Workspace app 2106.

To block session launches from ICA files that are stored on the local disk, do the following:

Set the Block Direct ICA File Launches attribute to True.

For more information about Global App Config Service, see Global App Config Service documentation.

Using workspace for web:

To disallow ICA file download on the local disk when using workspace for Web, do the following:

Run the PowerShell module. See Configure DisallowICADownload.


The DisallowICADownload policy isn’t available for StoreFront deployments.

Inactivity Timeout for Workspace Sessions

Admins can configure the inactivity timeout value to specify the amount of idle time allowed before the users automatically sign out of the Citrix Workspace session. You’re automatically signed out of Workspace if the mouse, keyboard, or touch is idle for the specified interval of time. The inactivity timeout doesn’t affect the active virtual apps and desktops sessions or Citrix StoreFront stores.

The inactivity timeout value can be set starting from a 1 minute to 1,440 minutes. By default, the inactivity timeout isn’t configured. Admins can configure the inactivityTimeoutInMinutes property by using a PowerShell module. Click here to download the PowerShell modules for Citrix Workspace Configuration.

The end-user experience is as follows:

  • A notification appears in your session window three minutes before you’re signed out, with an option to stay signed in, or sign out.
  • The notification appears only if the configured inactivity timeout value is greater than or equal to five minutes.
  • Users can click Stay signed in to dismiss the notification and continue using the app, in which case the inactivity timer is reset to its configured value. You can also click Sign out to end the session for the current store.


Admins can configure the inactivity timeout only for Workspace (cloud) sessions.