Citrix Workspace app Desktop Lock

You can use the Citrix Workspace app Desktop Lock when you do not need to interact with the local desktop. You can use the Desktop Viewer (if enabled), however it has only the required set of options on the toolbar: Ctrl+Alt+Del, Preferences, Devices, and Disconnect.

Citrix Workspace app for Windows with Desktop Lock works on domain-joined machines, which are SSON-enabled (Single Sign-On) and store configured; it can also be used on non-domain joined machines without SSON enabled. It does not support PNA sites. Previous versions of Desktop Lock are not supported when you upgrade to Citrix Receiver for Windows 4.2 or later.

You must install Citrix Workspace app for Windows with the /includeSSON flag. You must configure the store and Single Sign-on, either using the adm/admx file or cmdline option. For more information, see Install and configure Citrix Receiver using the command line.

Then, install the Citrix Workspace app Desktop Lock as an administrator using the CitrixWorkspaceDesktopLock.msi available in the Citrix Downloads page.

System requirements for Citrix Workspace app Desktop Lock

  • Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package. For more information, see the Microsoft Download page.
  • Supported on Windows 7 (including Embedded Edition), Windows 7 Thin PC, Windows 8, and Windows 8.1 and Windows 10 (Anniversary update included).
  • Connects to StoreFront through native protocols only.
  • Domain-joined and non-domain joined end points.
  • User devices must be connected to a local area network (LAN) or wide area network (WAN).

Local App Access

Important

Enabling Local App Access may permit local desktop access unless a full lock down has been applied with the Group Policy Object template or a similar policy. See Configure Local App Access and URL redirection in Citrix Virtual Apps and Desktops for more information.

Working with Citrix Workspace app Desktop Lock

  • You can use Citrix Workspace app Desktop Lock with the following Citrix Workspace app features:
    • 3Dpro, Flash, USB, HDX Insight, Microsoft Lync 2013 plug-in, and local app access
    • Domain, two-factor, or smart card authentication only
  • Disconnecting the Citrix Workspace app Desktop Lock session logs out the end device.
  • Flash redirection is disabled on Windows 8 and later versions. Flash redirection is enabled on Windows 7.
  • The Desktop Viewer is optimized for Citrix Workspace app Desktop Lock with no Home, Restore, Maximize, and Display properties.
  • Ctrl+Alt+Del is available on the Viewer toolbar.
  • Most windows shortcut keys are passed to the remote session, with the exception of Windows+L. For details, see Passing Windows shortcut keys to the remote session.
  • Ctrl+F1 triggers Ctrl+Alt+Del when you disable the connection or desktop viewer for desktop connections.

To install Citrix Workspace app Desktop Lock

This procedure installs Citrix Workspace app for Window so that virtual desktops appear using Citrix Workspace app Desktop Lock. For deployments that use smart cards, see To configure smart cards for use with devices running Receiver Desktop Lock.

  1. Log on using a local administrator account.

  2. At a command prompt, run the following command (located in the Citrix Workspace app and Plug-ins > Windows > Citrix Workspace app folder on the installation media).

    For example:

    pre codeblock
    CitrixWorkspaceApp.exe
         /includeSSON
    STORE0="DesktopStore;https://my.storefront.server/Citrix/MyStore/discovery;on;Desktop Store"
    

    For command details, see the Citrix Workspace app install documentation at Configure and install Citrix Worksapce for Windows using command-line parameters.

  3. In the same folder on the installation media, double-click CitrixReceiverDesktopLock.MSI . The Desktop Lock wizard opens. Follow the prompts.

  4. When the installation completes, restart the user device. If you have permission to access a desktop and you log on as a domain user, the device appears using Citrix Workspace app Desktop Lock.

To allow administration of the user device after installation, the account used to install CitrixWorkspaceDesktopLock.msi is excluded from the replacement shell. If that account is later deleted, you will not be able to log on and administer the device.

To run a silent install of Citrix Workspace Desktop Lock, use the following command line:

msiexec /i CitrixWorkspaceDesktopLock.msi /qn

To configure Citrix Workspace app for Windows Desktop Lock

Grant access to only one virtual desktop running Citrix Workspace app Desktop Lock per user.

Using Active Directory policies, prevent users from hibernating virtual desktops.

Use the same administrator account to configure Citrix Workspace app Desktop Lock as you did to install it.

  • Ensure that the receiver.admx (or receiver.adml) and receiver_usb.admx (.adml) files are loaded into Group Policy (where the policies appear in Computer Configuration or User Configuration > Administrative Templates > Classic Administrative Templates (ADMX) > Citrix Components). The .admx files are located in %Program Files%\Citrix\ICA Client\Configuration\.
  • USB preferences - When a user plugs in a USB device, that device is automatically remoted to the virtual desktop; no user interaction is required. The virtual desktop is responsible for controlling the USB device and displaying it in the user interface.
    • Enable the USB policy rule.
    • In Citrix Workspace app > Remoting client devices > Generic USB Remoting, enable and configure the Existing USB Devices and New USB Devices policies.
  • Drive mapping - In Citrix Workspace app> Remoting client devices, enable and configure the Client drive mapping policy.
  • Microphone - In Citrix Workspace app > Remoting client devices, enable and configure the Client microphone policy.

To configure smart cards for use with devices running Citrix Workspace app for Windows Desktop Lock

  1. Configure StoreFront.
    1. Configure the XML Service to use DNS Address Resolution for Kerberos support.
    2. Configure StoreFront sites for HTTPS access, create a server certificate signed by your domain certificate authority, and add HTTPS binding to the default website.
    3. Ensure pass-through with smart card is enabled (enabled by default).
    4. Enable Kerberos.
    5. Enable Kerberos and Pass-through with smart card.
    6. Enable Anonymous access on the IIS Default Web Site and use Integrated Windows Authentication.
    7. Ensure the IIS Default Web Site does not require SSL and ignores client certificates.
  2. Use the Group Policy Management Console to configure Local Computer Policies on the user device.
    1. Import the Receiver.admx template from %Program Files%\Citrix\ICA Client\Configuration\.
    2. Expand Administrative Templates > Classic Administrative Templates (ADMX) > Citrix Components > Citrix Workspace > User authentication.
    3. Enable Smart card authentication.
    4. Enable Local user name and password.
  3. Configure the user device before installing Citrix Workspace app Desktop Lock.
    1. Add the URL for the Delivery Controller to the Windows Internet Explorer Trusted Sites list.
    2. Add the URL for the first Delivery Group to the Internet Explorer Trusted Sites list in the form desktop://delivery-group-name.
    3. Enable Internet Explorer to use automatic logon for Trusted Sites.

When Citrix Workspace app Desktop Lock is installed on the user device, a consistent smart card removal policy is enforced. For example, if the Windows smart card removal policy is set to Force logoff for the desktop, the user must log off from the user device as well, regardless of the Windows smart card removal policy set on it. This ensures that the user device is not left in an inconsistent state. This applies only to user devices with the Citrix Workspace app Desktop Lock.

To remove Citrix Workspace app Desktop Lock

Be sure to remove both of the components listed below.

  1. Log on with the same local administrator account that was used to install and configure Citrix Workspace app Desktop Lock.
  2. From the Windows feature for removing or changing programs:
    • Remove Citrix Workspace app Desktop Lock.
    • Remove Citrix Workspace app for Windows.

Passing Windows shortcut keys to the remote session

Most windows shortcut keys are passed to the remote session. This section highlights some of the common ones.

Windows

  • Win+D - Minimize all windows on the desktop.
  • Alt+Tab - Change active window.
  • Ctrl+Alt+Delete - via Ctrl+F1 and the desktop viewer toolbar.
  • Alt+Shift+Tab
  • Windows+Tab
  • Windows+Shift+Tab
  • Windows+All Character keys

Windows 8

  • Win+C - Open charms.
  • Win+Q - Search charm.
  • Win+H - Share charm.
  • Win+K - Devices charm.
  • Win+I - Settings charm.
  • Win+Q - Search apps.
  • Win+W - Search settings.
  • Win+F - Search files.

Windows 8 apps

  • Win+Z - Get to app options.
  • Win+. - Snap app to the left.
  • Win+Shift+. - Snap app to the right.
  • Ctrl+Tab - Cycle through app history.
  • Alt+F4 - Close an app.

Desktop

  • Win+D - Open desktop.
  • Win+, - Peek at desktop.
  • Win+B - Back to desktop.

Other

  • Win+U - Open Ease of Access Center.
  • Ctrl+Esc - Start screen.
  • Win+Enter - Open Windows Narrator.
  • Win+X - Open system utility settings menu.
  • Win+PrintScrn - Take a screen shot and save to pictures.
  • Win+Tab - Open switch list.
  • Win+T - Preview open windows in taskbar.