Citrix Workspace app 2405 for Windows - Preview

You can download Citrix Workspace app for Windows 2405 preview version from the Downloads page.

For information on installation, see Install page.

You can give the EAR feedback using the podio form.

Note:

This is an Early Access Build shared for the purpose of testing or validation with the intent to make organizations ready for the upcoming release and is NOT advised to be deployed in production environments.

What’s new

• Compatibility with the higher versions of .NET
• Single sign-on support for ARM64 based devices
• New Add-ons and packaging
• Improved Beacon checker tool
• Upgraded version of WebRTC for the optimized Microsoft Teams
• Support for MJPEG webcams
• Version upgrade for Chromium Embedded Framework
• Enhanced system logs for browser content redirection
• App Protection support for double-hop scenario
• App Data Protection

• Citrix Enterprise Browser

  • Additional security policies for the Citrix Enterprise Browser

Compatibility with the higher versions of .NET

The minimum requirement of .NET for Citrix Workspace app is 6.0.20. For more information, see .NET requirements.

Citrix Workspace app for Windows 2405 version now works with the supported higher version of .NET installed on your system.

Single sign-on support for ARM64 based devices

From this 2405 release, Citrix Workspace app for Windows supports the single sign-on feature on the ARM64 based devices. For more information, see Authentication page.

New Add-ons and packaging

From Citrix Workspace app for Windows 2405 version, you can choose the following from the Add-on(s) page during the upgrade of Citrix Workspace app:

• Start App Protection after installation
• Enable single sign-on
• Install Microsoft Teams VDI Plugin

You can uninstall Microsoft Teams Optimization VDI plug-in independent of Citrix Workspace app.

Note:

If a plug-in is already installed on your system, that plug-in option is selected automatically for upgrade. Also, if you don’t have sufficient privileges to download the plug-in, that option won’t be visible on the Add-on(s) page.

Improved Beacon checker tool

As part of the Configuration Checker utility, Citrix Workspace app allows you to do a beacon test using the Beacon checker tool.

Earlier the Beacon test supported only the ping.citrix.com beacon. Starting from Citrix Workspace app for Windows 2405 version onwards, beacon test works for all the beacons configured in the store added in Citrix Workspace app.

For more information, see Configuration Checker and Beacon test.

Upgraded version of WebRTC for the optimized Microsoft Teams

The version of WebRTC that is used for the optimized Microsoft Teams is upgraded to version M117.

Support for MJPEG webcams

Starting with the 2405 version, MJPEG webcams are supported in the H264 stream. The webcam performs MJPEG compression internally which provides better image quality and a higher frame rate.

This feature is enabled by default. However, if certain Webcam doesn’t support MJPEG, this feature is disabled.

Version upgrade for Chromium Embedded Framework

The version of the Chromium Embedded Framework (CEF) is upgraded to 124. This upgraded version includes fixes for known security vulnerabilities.

Enhanced system logs for browser content redirection

With the enhancements to the system logs, browser content redirection now allows admins to monitor the feature status. For more information, see Browser content redirection.

App Protection support for double-hop scenario

Starting with the Citrix Workspace app for Windows 2405 version, App Protection is supported for the double-hop scenario when installed on a workstation VDA (such as Windows 10 or Windows 11) for a single-session VDA.

Double-hop indicates a scenario where a Citrix Virtual App or Virtual Desktop session is running within a Citrix Virtual Desktop session. For more information, see Double-hop in Citrix Virtual Apps and Desktops.

The following image describes the double-hop scenario:

App Protection with double-hop means that the App Protection policies are enabled on the virtual apps and desktops that are opened from the first hop.

The first hop where the App Protection feature is enabled and from where you are opening the protected virtual apps or desktops can be multi-session OS VDA or single-session OS VDA.

The following are the expected behaviors for App Protection with double-hop in multi-session OS VDA and single-session VDA:

App Protection in multi-session OS VDA

App Protection isn’t supported in a multi-session OS VDA (such as Windows Server 2k19 or Windows Server 2k22 ). Hence, App Protection isn’t be installed in such machines.

You can install Citrix Workspace app without App Protection on a multi-session OS. However, resources that are enabled with App Protection policies don’t enumerate and cannot be opened in a multi-session OS VDA.

App Protection in Single Session OS VDA

With the Citrix Workspace app for Windows 2405 version, the App Protection features are supported when installed on a workstation VDA (such as Windows 10 or Windows 11).

The following features are supported currently:

• Anti-keylogging
• Anti-screen capture

What scenario is supported?

When the second hop virtual app or desktop enabled with anti-screen capture and anti-keylogging is opened within the first hop virtual desktop session, it is protected from screen capture and keylogging tools that are running within the first hop virtual desktop session.

What scenario is not supported?

• If the first hop virtual desktop doesn’t have App Protection policies enabled, it is possible for screen capture and keylogging tools installed on the client endpoint to capture screens or keystrokes even when the second hop has App Protection policies enabled.

• If the end user is accessing the first hop machine using an RDP session, App Protection for the second hop isn’t supported.

This feature is enabled by default; therefore needs no separate configuration. The admin needs to configure the App Protection policies for the resources.

Recommendation for end-to-end protection

In order to have end-to-end protection, it is recommended to enable App Protection policies on each hop (both first and second). This way, keylogging and screen capture tools running either on the client or the first hop aren’t able to capture the sensitive content of the second hop session.

Block double-hop launch

App Protection features aren’t supported in a double-hop scenario when using the Citrix Workspace app for Windows versions older than 2405. You are allowed to open virtual apps, desktops, web apps, or SaaS apps that are enabled with App Protection policies in a double-hop scenario. However, the App Protection features are not applied.

You can block the opening of virtual apps, desktops, web apps, or SaaS apps enabled with the App Protection feature in a double-hop scenario.

For more information about enabling the Block Double-hop Launch setting, see Enable Block Double-Hop Launch setting.

App Data Protection

App Data Protection is a feature that provides enhanced security when using the Citrix Enterprise Browser.

When you are using the Citrix Enterprise Browser enabled with the App Data Protection feature, it protects the following by encrypting them:

• Auto-fill data
• Bookmarks
• Browser cache

• Browser storage folders

  Note:

  Browser storage folders don’t include user downloads.

• Cookies
• History
• Network cache
• Password vault
• Settings

Note:

You can only access the encrypted data by opening them using the Citrix Enterprise Browser.

App Data Protection doesn’t protect the following:

• Downloaded files
• Extensions

To configure the App Data Protection feature, see Configure App Data Protection.

Disclaimer:

App Data Protection policies filter access to the required functions of the underlying operating system and Citrix Enterprise Browser. Doing so means that App Data Protection policies can provide protection even against custom and purpose-built hacker tools. However, as Citrix Enterprise Browser evolves, additional deficiencies might be found. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.

Limitations

• If the App Data Protection feature isn’t enabled in the primary store, the App Data Protection will not be enabled for any store. As a workaround, you can limit users to add only one store to your Citrix Workspace app. This ensures that the App Data Protection remains enabled for the connected store at all times.
• When App Data Protection is disabled on GACS, the encrypted items (as listed in the preceding section) are deleted.

System requirements and compatibility

System requirements

Ensure that you meet the following requirements:

• Ensure that you have installed the Citrix Workspace app using administrator rights.
• Minimum version of Citrix components:
  • Citrix Workspace app for Windows 2405 or later
  • Citrix Enterprise Browser app 125.1.1.19 or later

Supported operating systems

The App Data Protection feature is supported on endpoints running on the following operating systems:

• Windows 11 64-bit (Not supported on 32-bit)
• Windows 10 64-bit (Not supported on 32-bit)

Configure App Data Protection

You can configure App Data Protection for Citrix Enterprise Browser using one of the following methods:

• Using Global App Configuration service
• Using API

Using Global App Configuration service

Administrators can configure the App Data Protection using the Global App Configuration service (GACS) by doing the following steps:

Note:

• Data encryption applies to files created before and after enabling the App Data Protection. However, the browser cache and network cache created before enabling App Data Protection are deleted after you enable the App Data Protection.
• When you disable the App Data Protection, user data is deleted.

1. Sign in to your Citrix Cloud account and select Workspace Configuration.

   

2. Click App Configuration.

   

3. Select the relevant store from the list of available stores and then click Configure.

4. Click Enterprise Browser.

   

5. Click Security and Privacy.

   

6. Click Enable Browser Data Encryption.

7. Select the Windows checkbox and then click the Enabled toggle button.

   

8. Click Publish Drafts.

9. In the Publish Settings dialog box, click Yes.

   

10. After enabling the App Data Protection in the Global App Configuration service, refresh the Citrix Workspace app and then, quit and reopen Citrix Enterprise Browser for the changes to take effect.

    

    For more information about refreshing the Citrix Workspace app, see the following:

    • Refresh using a Self-Service Plugin (SSP)
    • Refresh using registry keys
    • Refresh manually

Using API

The administrators can use the API to configure the App Data Protection feature. The following setting must be set as true to enable App Data Protection:

• “name”: “enable citrix enterprise browser cache encryption”
• “value”: “true” or “false”

Example: Following is a sample JSON file to enable App Data Protection:

{
  "category": "Browser",
  "userOverride": false,
  "settings": [
   

{       "name": "enable citrix enterprise browser cache encryption",       "value": true     }
  ]
}
<!--NeedCopy-->

Troubleshooting

This article explains how to troubleshoot the App Data Protection feature.

The App Data Protection feature is not working

If the App Data Protection feature is not working and the data is not being encrypted or decrypted, then do the following steps:

1. Check if the App Data Protection service is running by running the following commands:

   sc query CtxPkm
   sc query CtxAdpPolicy
   <!--NeedCopy-->
   

2. If the App Data Protection service is not running, then run the following command to start the service:

   sc start CtxPkm
   sc start CtxAdpPolicy
   <!--NeedCopy-->
   

3. Check if the relevant drivers are running by running the following commands:

   sc query CtxSupport
   sc query CtxIsolate
   sc query CtxDt2
   sc query CtxDs2
   <!--NeedCopy-->
   

4. If the required drivers are not running, then run the following command to start them:

   sc start CtxSupport
   sc start CtxIsolate
   sc start CtxDt2
   sc start CtxDs2
   <!--NeedCopy-->
   

5. If the App Data Protection feature is still not working, collect the logs and contact contact-data-protection@cloud.com.

Collecting logs

To collect App Data Protection logs, navigate to C:\Program Files (x86)\Citrix\CTXReceiverLogs and collect logs.

To collect logs for the Virtual Delivery Agent, do the following steps:

1. To get traces from the App Data Protection service through CDF control, select all the modules as selected in following image.

   

2. In certain cases, we might have to capture CDF traces from a different machine. To collect CDF traces, see CTX237216.

Citrix Enterprise Browser

This release of Citrix Enterprise Browser is installed with Citrix Workspace app for Windows 2405, and it’s based on the Chromium version 125.1.1.19.

Additional security policies for the Citrix Enterprise Browser

Citrix introduces additional access restriction policies to enhance the security and user experience of Citrix Enterprise Browser with Secure Private Access and Global App Configuration service (GACS).

The restriction policies that are managed through Secure Private Access are as follows:

• Personal data masking
• Copy
• Paste
• Upload restriction by file type
• Download restriction by file type
• Printing
• Printer management

The security policies that are managed through GACS are as follows:

• Audio Capture Allowed
• Video Capture Allowed

Personal data masking

Administrators can use the Personal data masking restriction setting to mask various types of sensitive information such as credit card numbers, social security numbers, and dates. Additionally, you have the flexibility to define custom rules for detecting specific types of sensitive information and masking it accordingly. The Personal data masking setting has the option to fully or partially mask the information. You can manage this setting through Secure Private Access using Citrix Cloud account.

Copy

Administrators can enable or disable copying of data from a SaaS or internal web app with this access policy when accessed via Citrix Enterprise browser. The default value is Enabled. You can manage this setting through Secure Private Access using Citrix Cloud account.

Paste

Administrators can enable or disable pasting of copied data into the SaaS or internal web app with this access policy when accessed via Citrix Enterprise Browser. The default value is Enabled. You can manage this setting through Secure Private Access using Citrix Cloud account.

Upload restriction by file type

Restrict file uploads based on the MIME (multi-purpose internet mail extensions) types. Unlike the Uploads setting, which allows you to restrict file uploads based on domain, the Upload MIME types setting enables you to restrict MIME types for files uploaded to your apps by the end users. You can manage this setting through Secure Private Access using Citrix Cloud account.

Download restriction by file type

Restrict file downloads based on the MIME (multi-purpose internet mail extensions) types.

Unlike the legacy Downloads setting, which allows you to restrict file downloads based on domain, the Downloads MIME types setting enables you to restrict MIME types for files downloaded from your apps by the end users. You can manage this setting through Secure Private Access using Citrix Cloud account.

Printing

Administrators can enable or disable printing data from the configured SaaS or Internal web apps with this policy when accessed via Citrix Enterprise Browser. The default value is Enabled. You can manage this setting through Secure Private Access using Citrix Cloud account.

Printer management

Starting with version 2405, enterprises can prevent the printing of confidential documents and the unauthorized sharing of data. End users can now print using admin-configured printers only. Admins can configure this feature through Secure Private Access and can specify a printer for an app too. If any of the printing options are disabled, the end user can’t save or print that page.

Manage Citrix Enterprise Browser through Global App Configuration service

Audio Capture Allowed

When you enable this setting, users are allowed to capture audio inputs. The default behavior is that user gets prompted for audio capture access, where they can choose to enable or disable the audio access. You can manage this setting through Global App Configuration service using Citrix Cloud account.

Video Capture Allowed

When you enable this setting, users are allowed to capture video inputs. The default behavior is that user gets prompted for video capture access, where they can choose to enable or disable the video access. You can manage this setting through Global App Configuration service using Citrix Cloud account.

Note:

• Policies such as Personal data masking, Copy, and Paste are available for StoreFront stores on both Windows and Mac operating systems.
• Policies such as Upload restriction by file type, Download restriction by file type, Audio Capture Allowed, and Video Capture Allowed are available for both Workspace and StoreFront stores on both Windows and Mac operating systems.
• The policies configured through Global App Configuration service are applied at the browser level, meaning that all apps opened on Citrix Enterprise Browser are affected by these policies. Whereas, the policies configured through Secure Private Access are applied on a per-app (per-URL) basis.
• When you configure a policy through both GACS and Secure Private Access, the policy applied through Secure Private Access takes precedence over GACS.
• When both Uploads and Upload MIME types restrictions are enabled in a policy, the Uploads setting takes precedence over the other. Similarly, when both Downloads and Download MIME types settings are enabled in a policy, the Downloads setting takes precedence over the other.
• For Printing restriction, the local printer policy applies to USB printers as well.

Fixed issues

• When the ICA- prefix keywords are set for a cloud hybrid session and when a user reconnects to the disconnected desktop, the user might fail to see the prompt that appears to sign out from the desktop session. [WSP-24115]

• You might fail to add a custom portal store using group policy editor when the storeAdditionAllowType is set to single in the Global App Config service. [RFWIN-35218]

• When you enable the VPrefer policy, the apps that require User Account Control (UAC) elevation might fail to open. [RFWIN-35169]

• When NetScaler Gateway store is configured through command line or Group Policy Editor, you might not be able to sign in to the store and might get the following error message:

  “Unable to connect to the Server check your network connection” [RFWIN-35180]

• You might be able to click the resources in Citrix Workspace app for Windows multiple times in a short duration before the resource is successfully launched. [RFWIN-35268]

• When an admin enables the Name enforced by admin property and then updates the store name, the updated name might not appear on the UI when you reopen the Citrix Workspace app. [RFWIN-32918]

• You might notice that the echo cancellation might not be supported with Citrix Workspace app. [HDX-63363]

• App Protection anti-keylogging bypass when using special keys. [CVADHELP-24452]

• Installation of Crestron app might fail, if you have installed DG Solutions and Citrix Workspace app for Windows with App Protection feature enabled. [CVADHELP-24476]

• In a double-hop scenario, the ALT +TAB key might not work on macOS clients. [CVADHELP-23085]

• If a full screen HDX session is on focus, and endpoint is locked using Ctrl+Alt+Del, users might be unable to type anything after unlocking. [CVADHELP-24512]

Known issues

• The BCRClient.msi installer is supported only on the same Citrix Workspace app version from where the installer file is taken. [HDX-66081]
• When a new user starts the virtual desktop for the first time, the session window appears small. Also, the window is placed in the upper left of the screen. The issue is observed on certain display devices with high DPI, such as Microsoft Surface Pro. As a workaround, resize the window manually. The preferred dimensions will be retained, and subsequent starts of the same desktop will display correctly. [HDX-62297]