Citrix Workspace app Desktop Lock
You can use the Citrix Workspace app Desktop Lock when you do not need to interact with the local desktop. You can use the Desktop Viewer (if enabled), however it has only the following set of options on the toolbar:
Citrix Workspace app for Windows with Desktop Lock works on domain-joined machines, which are SSON-enabled (Single Sign-On) and store configured. It does not support PNA sites. Previous versions of Desktop Lock are not supported when you upgrade to Citrix Receiver for Windows 4.2 or later.
You must install Citrix Workspace app for Windows with the
/includeSSON flag. You must configure the store and Single Sign-on, either using the adm/admx file or cmdline option. For more information, see Install.
Then, install the Citrix Workspace app Desktop Lock as an administrator using the
CitrixWorkspaceDesktopLock.msi available in the Citrix Downloads page.
- Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package. For more information, see the Microsoft Download page.
- Supported on Windows 7 (including Embedded Edition), Windows 7 Thin PC, Windows 8, and Windows 8.1 and Windows 10 (Anniversary update included).
- Connects to StoreFront through native protocols only.
- Domain-joined end points.
- User devices must be connected to a local area network (LAN) or wide area network (WAN).
Local App Access
Enabling Local App Access might permit local desktop access unless a full lock down has been applied with the Group Policy Object template or a similar policy. For more information, see the Configure Local App Access and URL redirection section in the Citrix Virtual Apps and Desktops documentation.
Working with Citrix Workspace app Desktop Lock
- You can use Citrix Workspace app Desktop Lock with the following Citrix Workspace app features:
- 3Dpro, Flash, USB, HDX Insight, Microsoft Lync 2013 plug-in, and local app access
- Domain, two-factor, or smart card authentication only
- Disconnecting the Citrix Workspace app Desktop Lock session logs out the end device.
- Flash redirection is disabled on Windows 8 and later versions. Flash redirection is enabled on Windows 7.
- The Desktop Viewer is optimized for Citrix Workspace app Desktop Lock with no Home, Restore, Maximize, and Display properties.
- Ctrl+Alt+Del is available on the desktop viewer toolbar.
- Most windows shortcut keys are passed to the remote session, with the exception of Windows+L.
- Ctrl+F1 triggers Ctrl+Alt+Del when you disable the connection or desktop viewer for desktop connections.
With the Desktop Lock installed, and
LiveInDesktopDisconnectOnLockset to False in the registry path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Dazzle, the active session gets disconnected when the end-point wakes up from hibernation or standby mode.
Install Citrix Workspace app Desktop Lock
This procedure installs Citrix Workspace app for Window so that virtual desktops appear using Citrix Workspace app Desktop Lock. For deployments that use smart cards, see Smart card.
Log on using a local administrator account.
At a command prompt, run the following command (located in the Citrix Workspace app and Plug-ins > Windows > Citrix Workspace app folder on the installation media).
CitrixWorkspaceApp.exe /includeSSON STORE0="DesktopStore;https://my.storefront.server/Citrix/MyStore/discovery;on;Desktop Store"
For command details, see the Citrix Workspace app install documentation at Install.
In the same folder on the installation media, double-click
CitrixWorkspaceDesktopLock.msi. The Desktop Lock wizard appears. Follow the prompts.
When the installation completes, restart the user device. If you have permission to access a desktop and you log on as a domain user, the device appears using Citrix Workspace app Desktop Lock.
To allow administration of the user device after installation, the account used to install
CitrixWorkspaceDesktopLock.msi is excluded from the replacement shell. If that account is later deleted, you will not be able to log on and administer the device.
To run a silent install of Citrix Workspace Desktop Lock, use the following command line:
msiexec /i CitrixWorkspaceDesktopLock.msi /qn
Configure Citrix Workspace app Desktop Lock
Grant access to only one virtual desktop running Citrix Workspace app Desktop Lock per-user.
Using Active Directory policies prevent users from hibernating virtual desktops.
Use the same administrator account to configure Citrix Workspace app Desktop Lock as you did to install it.
- Ensure that the receiver.admx (or receiver.adml) and receiver_usb.admx (.adml) files are loaded into Group Policy (where the policies appear in Computer Configuration or User Configuration > Administrative Templates > Classic Administrative Templates (ADMX) > Citrix Components). The .admx files are located in %Program Files%\Citrix\ICA Client\Configuration\.
- USB preferences - When a user plugs in a USB device, that device is automatically remoted to the virtual desktop; no user interaction is required. The virtual desktop is responsible for controlling the USB device and displaying it in the user interface.
- Enable the USB policy rule.
- In Citrix Workspace app > Remoting client devices > Generic USB Remoting, enable and configure the Existing USB Devices and New USB Devices policies.
- Drive mapping - In Citrix Workspace app> Remoting client devices, enable and configure the Client drive mapping policy.
- Microphone - In Citrix Workspace app > Remoting client devices, enable and configure the Client microphone policy.
Configure smart cards for use with Windows Desktop Lock
- Configure StoreFront.
- Configure the XML Service to use DNS Address Resolution for Kerberos support.
- Configure StoreFront sites for HTTPS access, create a server certificate signed by your domain certificate authority, and add HTTPS binding to the default website.
- Ensure pass-through authentication with smart card is enabled (enabled by default).
- Enable Kerberos.
- Enable Kerberos and pass-through authentication with smart card.
- Enable Anonymous access on the IIS Default Web Site and use Integrated Windows Authentication.
- Ensure the IIS Default Web Site does not require SSL and ignores client certificates.
- Use the Group Policy Management Console to configure Local Computer Policies on the user device.
- Import the Receiver.admx template from %Program Files%\Citrix\ICA Client\Configuration\.
- Expand Administrative Templates > Classic Administrative Templates (ADMX) > Citrix Components > Citrix Workspace > User authentication.
- Enable Smart card authentication.
- Enable Local user name and password.
- Configure the user device before installing Citrix Workspace app Desktop Lock.
- Add the URL for the Delivery Controller to the Windows Internet Explorer Trusted Sites list.
- Add the URL for the first Delivery Group to the Internet Explorer Trusted Sites list in the form desktop://delivery-group-name.
- Enable Internet Explorer to use automatic logon for Trusted Sites.
When Citrix Workspace app Desktop Lock is installed on the user device, a consistent smart card removal policy is enforced. For example, if the Windows smart card removal policy is set to Force logoff for the desktop, the user must log off from the user device as well, regardless of the Windows smart card removal policy set on it. This ensures that the user device is not left in an inconsistent state. This applies only to user devices with the Citrix Workspace app Desktop Lock.
Remove Desktop Lock
Be sure to remove both of the components listed below.
- Log on with the same local administrator account that was used to install and configure Citrix Workspace app Desktop Lock.
- From the Windows feature for removing or changing programs:
- Remove Citrix Workspace app Desktop Lock.
- Remove Citrix Workspace app for Windows.
Passing Windows shortcut keys to the remote session
Most windows shortcut keys are passed to the remote session. This section highlights some of the common ones.
- Win+D - Minimize all windows on the desktop.
- Alt+Tab - Change active window.
- Ctrl+Alt+Delete - via Ctrl+F1 and the desktop viewer toolbar.
- Windows+All Character keys
- Win+C - Open charms.
- Win+Q - Search charm.
- Win+H - Share charm.
- Win+K - Devices charm.
- Win+I - Settings charm.
- Win+Q - Search apps.
- Win+W - Search settings.
- Win+F - Search files.
Windows 8 apps
- Win+Z - Get to app options.
- Win+. - Snap app to the left.
- Win+Shift+. - Snap app to the right.
- Ctrl+Tab - Cycle through app history.
- Alt+F4 - Close an app.
- Win+D - Open desktop.
- Win+, - Peek at desktop.
- Win+B - Back to desktop.
- Win+U - Open Ease of Access Center.
- Ctrl+Esc - Start screen.
- Win+Enter - Open Windows Narrator.
- Win+X - Open system utility settings menu.
- Win+PrintScrn - Take a screen shot and save to pictures.
- Win+Tab - Open switch list.
- Win+T - Preview open windows in taskbar.
Citrix Workspace app Desktop Lock
In this article
- System requirements
- Local App Access
- Working with Citrix Workspace app Desktop Lock
- Install Citrix Workspace app Desktop Lock
- Configure Citrix Workspace app Desktop Lock
- Configure smart cards for use with Windows Desktop Lock
- Remove Desktop Lock
- Passing Windows shortcut keys to the remote session
- Windows 8
- Windows 8 apps