Product documentation
Citrix Workspace app
View PDF

App Protection

March 21, 2023
Contributed by: 
S S

App Protection is an add-on feature for the Citrix Workspace app that provides enhanced security when using Citrix Virtual Apps and Desktops published resources.

Two policies provide anti-keylogging and anti-screen-capturing capabilities for a Citrix HDX session. The policies along with a minimum of Citrix Workspace app 1912 for Windows, Citrix Workspace app 2001 for Mac, or Citrix Workspace app 2108 for Linux can help protect data from keyloggers and screen scrapers.

When you enable anti-keylogging:

  • A keylogger sees encrypted keystrokes.
  • This feature is active only when a protected window is in focus.

Anti-screen-capturing when enabled:

  • On Windows OS and macOS, when you capture a screen, only the content of the protected window is blank. This feature is active when a protected window is not minimized. On the Linux OS, the entire capture is blank. This feature is active whether a protected window is minimized or not.
  • For Windows OS and macOS, this feature is active when a protected window is visible (not minimized). For the Linux OS, the feature is active both when a protected window is minimized or maximized.
  • When using the print screen button in Windows OS to take screenshots, the data is not copied to the clipboard. To take screenshots using the print screen button, minimize any protected apps.

You configure the policies through PowerShell only. There is no GUI administration capability. This configuration is required only to enable or disable functionality for a specific delivery group.

After purchasing this feature, ensure you enable the App Protection license.

Disclaimer:

App Protection policies work by filtering access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). Doing so means that App Protection policies can provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

Citrix App Protection policies work effectively with underlying operating system components, including ICA files. Citrix would not be able to provide support if intentional tampering or modification of the underlying components is detected, to provide the integrity of policies applied.

Prerequisite

You have installed the Citrix Workspace app using administrator rights.

Limitations

These limitations exist by design:

  • No anti-keylogging support inside HDX or RDP sessions. Endpoint protection is still active. This limitation applies to double-hop scenarios only.
  • No feature support when using an unsupported version of the Citrix Workspace app or Citrix Receiver. In that case, resources are hidden.
  • App Protection is supported for on-premises Citrix Virtual Apps and Desktops deployments, and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) with StoreFront and Workspace. It means that App Protection is supported on all cloud environments, on-premises environments, and hybrid environments.
  • App Protection add-on feature for the Citrix Workspace app prevents outgoing screen sharing.
  • App Protection may prevent outgoing and incoming screen sharing with collaboration apps or features that have optimization enabled.
  • Applications with App Protection policies are not enumerated in the Connection Leases, hence Service Continuity does not display the app/desktop icons in Citrix Workspace app when in outage/offline mode.
  • Citrix Workspace app with App protection might not be compatible with some other security solutions or apps using similar underlying technology.

Expected behavior

The expected behaviors depend on how you access the StoreFront store that contains protected resources. You can access the resources using a supported native Citrix Workspace app client.

  • Behavior on StoreWeb - Applications with App Protection policies are not enumerated on StoreFront web stores.
  • Behavior on unsupported Citrix Receivers or Citrix Workspace apps - Applications with App Protection policies are not enumerated.
  • Behavior on supported Citrix Workspace app versions - Protected resources enumerate and start properly.

Protection is applied under the following conditions:

  • Anti screen capture – For Windows and Mac, it is enabled if any protected window is visible on the screen. To disable protection, minimize all protected windows. For Linux, it is enabled if any protected window is active. To disable protection, close all protected windows.
  • Anti-keylogging – enabled if a protected window is in focus. To disable protection, change focus to another window.

What does App Protection protect?

To capture the screenshot of any non-Citrix Workspace app window, users must first minimize the protected window. For Linux, users must close all protected windows.

App Protection protects the following Citrix windows:

  • Citrix logon windows - Citrix Workspace authentication dialogs are protected only on Windows operating systems. For Linux, you must configure the App Protection feature in the AuthManConfig.xml file to enable it for the authentication manager.

Citrix log on window - protected

  • Citrix Workspace app HDX session windows (example, managed desktop)

Citrix Virtual Apps and Desktops Standard for Azure window - protected

  • Self-Service (Store) windows - Citrix Workspace Self-Service windows are protected only on Windows operating systems. For Linux, you must configure the App Protection feature in the AuthManConfig.xml file to enable it for Self-Service windows.

Citrix Self-Service (Store) window - protected

  • Web and SaaS apps - Web and SaaS apps open in the Citrix Enterprise Browser for Citrix Workspace apps in Windows and Mac. If the apps are configured to have the App Protection policies via the Secure Private Access, then App Protection is applied on a per-tab basis.

    App Protection for Web and SaaS apps

App Protection enhancement: Screen capture detection and notification

Starting from Citrix Workspace app for Windows 2212 release, you can view a notification when a possible attempt of screen capture is made on any protected resources.

The notification appears when there is an:

  • attempt to take a screenshot or record video through a screen-capturing tool.
  • attempt to take a screenshot through the Print Screen key.

Note:

  • The notification appears only once per running instance of the screen capture tool. The notification appears again if you relaunch the tool and attempt screen capture.
  • On Citrix Workspace app for Windows 2212 and later, sign-in windows and Self-Service (Store) windows are not protected by default.

Enhancement to App Protection: Anti-DLL Injection

Starting from Citrix Workspace app for Windows 2303 release, we have a security enhancement that helps to protect the Citrix Workspace app from certain unauthorized dynamic-link libraries (DLL) or untrusted modules. If such untrusted modules are injected, the Citrix Workspace app detects these interventions and stops the modules from loading.

The anti-DLL injection can be enabled for the following components:

  • Citrix Auth Manager

    Auth Manager

  • Citrix Workspace app UI

    Workspace app UI

    Workspace app UI

  • Citrix Virtual Apps and Desktops

    VDA

User experience

  • While starting, Citrix Workspace app verifies the components configured with anti-DLL feature. If a malicious DLL is found to be injected, the affected component is closed and you get the following alert message:

    App start

  • While the component configured with anti-DLL is running, if a malicious DLL is injected, you get the following alert message:

    App running

Configuring the anti-DLL injection feature

By default, the anti-DLL injection feature is disabled. You can enable this feature using the Global App Configuration service or Group Policy Object (GPO).

Configuring through GPO

The following policies are added to configure the anti-DLL injection feature:

  • Anti-DLL Injection
  • Anti-DLL Injection Module Allow List

Anti-DLL Injection:

Use this policy to enable or disable the anti-DLL injection feature. When this policy is not configured, the anti-DLL feature is disabled. The possible values are:

  • Enabled – the anti-DLL injection is enabled for Citrix Auth Manager, Citrix Workspace app UI, and Citrix Virtual Apps and Desktops. Admins can select the required components to enable the Anti-DLL injection feature.
  • Disabled – the anti-DLL injection feature is disabled for Citrix Auth Manager, Citrix Workspace app UI, and Citrix Virtual Apps and Desktops

To enable the policy:

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.

  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace > App Protection > Anti-DLL Injection.

    Anti-Dll injection

  3. Click the Anti-DLL Injection policy and set it to Enabled. All the components are selected. However, you can modify the selection of the components from the Options section.
  4. Click OK.

Anti-DLL Injection Module Allow List:

As an administrator, you can use this policy to exclude any DLL from the anti-DLL injection feature. Citrix recommends you to use this policy only to handle any exceptional scenario. When this policy is not configured, no DLL is part of the allow list. All the DLLs are included for the anti-DLL protection. The possible values are:

  • Enabled - Excludes DLLs that are added in the allow list from the anti-DLL protection.
  • Disabled – Clears the list of DLLs added to the allow list.

To enable the policy:

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.

  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace > App Protection > Anti-DLL Module Allow List.

    Anti-Dll injection

  3. Click the Anti-DLL Module Allow List policy and set it to Enabled.

  4. Add the list of modules that you want to exclude from the anti-DLL protection in the Anti-DLL Injection Module Allow List field.

    Sample format to add DLL to the allow list:

    [
    {
        "filePath":"C:\\Program Files (x86)\\trusted\\messagebox.dll"
    },
    {
        "filePath":"%PROGRAMFILES%\\trusted\\logging.dll"
    }
]
<!--NeedCopy-->
  5. Click OK.
Using the Global App Config service

The administrators can use the Global App Config service to configure the anti-DLL Injection feature. The settings are as follows:

  • anti dll injection – Add the required modules that you want to enable the anti-DLL Injection feature

  • anti dll module allow list – Add the required DLLs that you want to exclude from the anti-DLL protection

For more information, see Global App Configuration Service.

To configure, here is an example JSON file for enabling Anti-DLL Injection and Anti-DLL Module Allow List for Citrix Workspace app for Windows in Global App Configuration service:

{
  "serviceURL": {
    "url": "https://tuleshtest.cloudburrito.com:443"
  },
  "settings": {
    "appSettings": {
      "windows": [
        {
          "category": "App protection",
          "userOverride": false,
          "assignedTo": [
            "AllUsersNoAuthentication"
          ],
          "assignmentPriority": 0,
          "settings": [
            {
              "name": "anti dll injection",
              "value": [
                "Citrix Auth Manager",
                "Citrix Virtual Apps And Desktops",
                "Citrix Workspace app UI"
              ]
            },
            {
              "name": "anti dll module allow list",
              "value": [
                {
                  "filePath": "C:\\Program Files (x86)\\Citrix\\ICA Client\\wfica32.exe"
                },
                {
                  "filePath": "C:\\Program Files (x86)\\Citrix\\ICA Client\\AuthManager\\AuthManSvr.exe"
                }
              ]
            }
          ]
        }
      ]
    },
    "name": "name",
    "description": "desc",
    "useForAppConfig": true
  }
}
<!--NeedCopy-->

Disclaimer:

This capability works by filtering access to required functions of the underlying operating system (specific API calls required to load DLLs). Doing so means that it can provide protection even against certain custom and purpose-built hacker tools. However, as operating systems evolve, new ways of loading DLLs can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

What doesn’t App Protection protect?

  • The following items under the Citrix Workspace apps icon in the navigation bar:

    • Connections Center
    • All links under Advanced Preferences
    • Personalize
    • Check for Updates
    • Sign Out

  • If you choose to protect a virtual desktop with anti-screen-capturing, users can still screen share from apps within the virtual desktop. However, for the apps outside of the virtual desktop you won’t be able to take screenshots, or record the virtual desktop.

System requirements

Minimum versions of Citrix components

  • Citrix Workspace app 2108 for Linux
  • Citrix Workspace app 1912 for Windows Long Term Service Release
  • Citrix Workspace app 2002 for Windows
  • Citrix Workspace app 2001 for Mac
  • StoreFront 1912
  • Delivery Controller 1912
  • Valid Citrix licenses. For more information, contact your Citrix Sales Representative or Citrix Partner.

Operating system platforms

App Protection policies runtime is installed on the endpoint that you are connecting from and not on the VDA you are connecting to. Therefore, only the operating system version of the endpoint is significant. (App Protection can connect to VDAs hosted on any supported operating systems described in Citrix Virtual Apps and Desktops System requirements.)

The App Protection feature is supported on endpoints running the following operating systems:

  • Windows 11
  • Windows 10
  • Windows 8.1
  • macOS High Sierra (10.13) and higher
  • 64-bit Ubuntu 18.04 and Ubuntu 20.04
  • 64-bit Debian 9 and Debian 10
  • 64-bit CentOS 7
  • 64-bit RHEL 7
  • ARMHF 32-bit Raspberry Pi OS (Based on Debian 10 (buster))

Note:

For App Protection, Citrix Workspace app for Linux requires Gnome Display Manager along with the supported operating systems.

Configure

Follow these steps to fully configure and enable the App Protection feature:

  1. Import the App Protection license†.
  2. Configure the Workspace app.
  3. Enable the App Protection policies on the Delivery Controllers†.

† In a Citrix DaaS environment, these configuration steps differ slightly. See the notes in these sections.

1. Licensing

Note:

In a Citrix DaaS environment ignore this step because there are no licenses to install. The App Protection feature is included as a part of certain Citrix Cloud service packages and licenses are provided directly on Citrix Cloud.

App Protection requires that you install an add-on license on the Citrix License Server. A license valid for Citrix Virtual Apps and Desktops 1912 or later must also be present. Contact a Citrix Sales Representative to purchase the App Protection add-on license.

  1. Download the license file and import it into the Citrix License Server alongside an existing Citrix Virtual Desktops license.
  2. Use the Citrix Licensing Manager to import the license file (preferred method) or copy the license file to C:\Program Files (x86)\Citrix\Licensing\MyFiles on the License Server and restart the Citrix Licensing service. For more information, see Install licenses.

2. Citrix Workspace app

Configure App Protection on the Citrix Workspace app.

Citrix Workspace app for Windows

You can include the App Protection component with the Citrix Workspace app using the following methods:

  • During Citrix Workspace app installation.
  • Using the command-line interface after the Citrix Workspace app installation.

Ensure that the Citrix Workspace app was installed with the /includeappprotection switch enabled.

For more information, see App Protection.

Citrix Workspace app for Mac

App Protection requires no specific configuration on the Citrix Workspace app for Mac.

Citrix Workspace app for Linux

App Protection is supported when Citrix Workspace app for Linux is installed by using the tarball, Debian, and Red Hat Package Manager (RPM) packages. The supported architectures are x64 and ARMHF.

For more information, see App Protection.

3. Delivery Groups

Note:

In a Citrix DaaS environment, use the cmdlets in the Citrix Virtual Apps and Desktops Remote PowerShell SDK on any machine (apart from Citrix Cloud Connector machines) to issue the commands in this section.

Enable the following properties for the App Protection Delivery Group using the Citrix Virtual Apps and Desktops SDK on any installed Delivery Controller machine or on a machine with a stand-alone Studio installed that has the FMA PowerShell snap-ins installed.

  • AppProtectionKeyLoggingRequired: True
  • AppProtectionScreenCaptureRequired: True

You can enable each of these policies individually per Delivery Group. For example, you can configure keylogging protection only for DG1, and screen capture protection only for DG2. You can enable both policies for DG3.

Example

To enable both policies for a Delivery Group named DG3, run the following command on any Delivery Controller in the site:

Set-BrokerDesktopGroup -Name DG3 -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true

To validate the settings, run this cmdlet:

Get-BrokerDesktopGroup -Property Name, AppProtectionKeyLoggingRequired, AppProtectionScreenCaptureRequired | Format-Table -AutoSize

In addition, enable XML trust:

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Ensure that you secure the network between the StoreFront and the Broker. For more information, see Knowledge Center articles CTX236929 and Securing the XenApp and XenDesktop XML Service.

Recommendation

App Protection policies are primarily focused on enhancing the security and protection of an endpoint. Review all other security recommendations and policies for your environment. You can use a Security and Control policy template for a recommended configuration in environments with low tolerance to risk. For more information, see Policy templates.

Contextual App Protection

Contextual App Protection provides the granular flexibility to apply the App Protection policies conditionally for a subset of users - based on users, their device, and the network posture. For more information, see the following articles:

App Protection for hybrid launch

Hybrid launch of Citrix Virtual Apps and Desktops is when you log in to Citrix Workspace app through the browser (Citrix Workspace for Web), and use the applications through the native Citrix Workspace app. The term hybrid is the result of users applying the combination Citrix Workspace app for Web and the native Citrix Workspace app to connect and use the resources. App Protection supports hybrid launch in Workspace and StoreFront. For more information, see the following articles:

Troubleshoot

Applications are not enumerating or not starting:

  • Confirm that the affected user is using a supported version of the Citrix Workspace app.
  • Ensure that the Delivery Group has the proper features enabled.

App Protection policies are not applying properly:

  • Ensure that the Delivery Group has the proper features enabled.
  • Ensure that the feature is installed on the endpoint.
  • Ensure that the affected user is using a supported Citrix Workspace app version.
  • Ensure that the Citrix Workspace app was installed with the /includeappprotection switch enabled.

Screenshots not working on non-Citrix windows:

  • Minimize or close the protected Citrix windows, including the Citrix Workspace app.
App Protection
March 21, 2023
Contributed by: 
S S
March 21, 2023
Contributed by: 
S S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings
© 1999- Cloud Software Group, Inc. All rights reserved.