App Protection is a feature for the Citrix Workspace app that provides enhanced security when using Citrix Virtual Apps and Desktops published resources. App Protection is supported for on-premises Citrix Virtual Apps and Desktops deployments, and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) with StoreFront and Workspace. It means that App Protection is supported on all cloud environments, on-premises environments, and hybrid environments. App Protection is also supported when you are connecting to Storefront or Workspace via ADC Gateway.
Two policies provide anti-keylogging and anti-screen-capturing capabilities for a Citrix HDX session. The policies along with a minimum of Citrix Workspace app 2203.1 LTSR for Windows, Citrix Workspace app 2001 for Mac, or Citrix Workspace app 2108 for Linux can help protect data from keyloggers and screen scrapers.
When you enable anti-keylogging:
- A keylogger sees encrypted keystrokes.
- This feature is active only when a protected window is in focus.
Anti-screen-capturing when enabled:
- On Windows OS and macOS, when you capture a screen, only the content of the protected window is blank. This feature is active when a protected window is not minimized. On the Linux OS, the entire capture is blank. This feature is active whether a protected window is minimized or not.
- For Windows OS and macOS, this feature is active when a protected window is visible (not minimized). For the Linux OS, the feature is active both when a protected window is minimized or maximized.
- When using the print screen button in Windows OS to take screenshots, the data is not copied to the clipboard. To take screenshots using the print screen button, minimize any protected apps.
You configure the policies through PowerShell and through Web Studio.
To configure App Protection through Web Studio, follow these steps:
App protection requires XML trust. To enable XML trust, go to Settings > Enable XML trust.
To choose an App Protection method for a delivery group, follow these steps:
Select Delivery Groups in the left pane.
Select a group and then select Edit in the action bar.
On the App Protection page, you can enable Anti-keylogging and Anti-screen capturing.
After purchasing this feature, ensure you enable the App Protection license.
App Protection policies work by filtering access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). Doing so means that App Protection policies can provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.
Citrix App Protection policies work effectively with underlying operating system components, including ICA files. Citrix would not be able to provide support if intentional tampering or modification of the underlying components is detected, to provide the integrity of policies applied.
As a prerequisite, ensure that you have installed the Citrix Workspace app using administrator rights.
- Citrix Workspace app 2108 for Linux
- Citrix Workspace app 2203.1 LTSR for Windows
- Citrix Workspace app 2002 for Windows
- Citrix Workspace app 2305.1 for Windows (Store)
- Citrix Workspace app 2001 for Mac
- StoreFront 1912 LTSR
- Delivery Controller 1912
- Valid Citrix licenses. For more information, contact your Citrix Sales Representative or Citrix Partner.
If the users are on devices or Workspace app versions that don’t support App Protection, then they won’t be able to access the protected resources. The protected resources include Virtual Apps and Desktops and Web and SaaS apps.
App Protection policies runtime is installed on the endpoint that you are connecting from and not on the VDA you are connecting to. Therefore, only the operating system version of the endpoint is significant. (App Protection can connect to VDAs hosted on any supported operating systems described in Citrix Virtual Apps and Desktops System requirements.)
The App Protection feature is supported on endpoints running the following operating systems:
- Windows 11
- Windows 10
- Windows 8.1
- macOS High Sierra (10.13) and higher
- 64-bit Ubuntu 18.04 and Ubuntu 20.04
- 64-bit Debian 9 and Debian 10
- 64-bit CentOS 7
- 64-bit RHEL 7
- ARMHF 32-bit Raspberry Pi OS (Based on Debian 10 (buster))
- ARM64 Raspberry Pi OS (Based on Debian 11 (bullseye))
For App Protection, Citrix Workspace app for Linux requires Gnome Display Manager along with the supported operating systems.
Check if App Protection is installed
Starting with Citrix Workspace app version 2212, App Protection is installed by default. However, the component might be in an active or dormant state depending on whether the user selected the Start App Protection after installation checkbox.
For Citrix Workspace app versions prior to 2212, App Protection will be installed and be in active state only if you select the Enable app protection checkbox while installing Citrix Workspace app.
App Protection can either be in the STOPPED state or RUNNING state. To check the status of the service, do one of the following steps:
For Citrix Workspace app version 2206 or later, run the following command:
sc query appprotectionsvc <!--NeedCopy-->
For Citrix Workspace app versions prior to 2206, run the following command:
sc query entryprotectsvc <!--NeedCopy-->
In Citrix Workspace app versions prior to 2212, if you hadn’t selected the Enable app protection checkbox while installing Citrix Workspace app and run the preceding command to check the status, then it displays the following error message:
App Protection behavior on different environments
The behavior of App Protection depends on how you access the resources that are configured with App Protection policies. These resources include Virtual Apps and Desktops, internal web apps, and SaaS apps. You can access these resources using a supported native Citrix Workspace app client or a web browser. App Protection performs variedly on different environments:
- Unsupported Citrix Receivers or Citrix Workspace apps - The resources that are configured with App Protection policies are not available.
- Supported Citrix Workspace app versions - The resources that are configured with App Protection policies are available and launches properly.
- Hybrid launch using Workspace store URL - The resources that are configured with App Protection policies are always available. To successfully launch the resources on a web browser using the Workspace store URL, see App Protection for hybrid launch for Workspace.
- Hybrid launch using StoreFront store URL - The resources that are configured with App Protection policies are not available if the StoreFront customization is not deployed. To successfully launch the resources on a web browser using the Storefront store URL, see App Protection for hybrid launch for StoreFront.
Protection is applied under the following conditions:
- Anti screen capture – For Windows and Mac, it is enabled if any protected window is visible on the screen. To disable protection, minimize all protected windows. For Linux, it is enabled if any protected window is active. To disable protection, close all protected windows.
- Anti-keylogging – enabled if a protected window is in focus. To disable protection, change focus to another window.
What does App Protection protect?
To capture the screenshot of any non-Citrix Workspace app window, users must first minimize the protected window. For Linux, users must close all protected windows.
App Protection protects the following Citrix windows:
Citrix logon windows - Citrix Workspace authentication dialogs are protected only on Windows operating systems. For Linux, you must configure the App Protection feature in the
AuthManConfig.xmlfile to enable it for the authentication manager.
- Citrix Workspace app HDX session windows (example, managed desktop)
Self-Service (Store) windows - Citrix Workspace Self-Service windows are protected only on Windows operating systems. For Linux, you must configure the App Protection feature in the
AuthManConfig.xmlfile to enable it for Self-Service windows.
Web and SaaS apps - Web and SaaS apps open in the Citrix Enterprise Browser for Citrix Workspace apps in Windows and Mac. If the apps are configured to have the App Protection policies via the Secure Private Access, then App Protection is applied on a per-tab basis.
What doesn’t App Protection protect?
The following items under the Citrix Workspace apps icon in the navigation bar:
- Connections Center
- All links under Advanced Preferences
- Check for Updates
- Sign Out
If you choose to protect a virtual desktop with anti-screen-capturing, users can still screen share from apps within the virtual desktop. However, for the apps outside of the virtual desktop you won’t be able to take screenshots, or record the virtual desktop.
The following limitations exist by design:
- App Protection enabled virtual apps and desktops are blocked from launching when accessed within RDP sessions.
- App Protection is not supported in double-hop and multiple-hop scenarios.
- App Protection is not supported if you’re on an unsupported version of the Citrix Workspace app or Citrix Receiver. In that case, resources are hidden.
- When the App Protection features are applied to virtual apps and desktops, outgoing screen sharing may be impacted if optimization is used.
- Citrix Workspace app with App protection might not be compatible with some other security solutions or apps using similar underlying technology.
- App Protection is not supported when you launch resources from within the Citrix Secure Browser, or with Remote Browser Isolation.
- In Citrix Workspace app for Linux, you’re unable to use snap applications when App Protection is installed.
Contextual App Protection
Contextual App Protection provides the granular flexibility to apply the App Protection policies conditionally for a subset of users - based on users, their device, and the network posture. For more information, see the following articles:
App Protection for hybrid launch
Hybrid launch of Citrix Virtual Apps and Desktops is when you log in to Citrix Workspace app through the browser (Citrix Workspace for Web), and use the applications through the native Citrix Workspace app. The term hybrid is the result of users applying the combination Citrix Workspace app for Web and the native Citrix Workspace app to connect and use the resources. App Protection supports hybrid launch in Workspace and StoreFront. For more information, see the following articles: