App Protection for hybrid launch for StoreFront

Hybrid launch of Citrix Virtual Apps and Desktops is when you sign in to StoreFront for Web (by typing in the store URL in the native browser) and launch the virtual apps and desktops through the native Citrix Workspace app and its HDX engine. The term hybrid is the result of using the combination of StoreFront for Web, and the native Citrix Workspace app to connect and use the resources.


When no native Citrix Workspace app components are installed on the endpoint, it’s a zero-install configuration where both the Citrix Workspace store and the HDX engine reside within the browser. This is known as the Citrix Workspace app for HTML5, which is hosted either on Citrix Workspace or Citrix Storefront. This document does not address that scenario.

App Protection for hybrid launch for StoreFront provides the ability for App Protection enabled resources to be enumerated and launched from browsers.


If you select the options Use light version (which uses the HTML5 client) or Already installed, then the App Protection enabled sessions are blocked as the Citrix Workspace app isn’t detected successfully in the browser.

You can access the App Protection enabled apps and desktops using a web browser if the StoreFront customization is deployed, and the native Citrix Workspace app is successfully detected in the browser. See the How to deploy section.


Ensure that you’re using Citrix Workspace app version 1912 LTSR or later, and StoreFront version 3.12 or later. For more information on the required versions of Citrix components for App Protection, see System requirements.

How to deploy

  1. Download the Zip file named, which has all the required files that you must deploy to the StoreFront server machine. Download the file from Citrix Downloads. The file includes the following:

    • DLLs that you must copy to the store’s bin folder
    • JavaScript files and other files required for the solution to work
    • deploy-solution.ps1 PowerShell script, which the StoreFront admin uses to deploy the solution
  2. Unzip the file and open a new administrator PowerShell where the files are extracted. Run the deploy-solution.ps1 command, which takes the takes the following arguments:

    • -Action: The action that the script takes. The allowed values are as follows:

      • The Deploy action deploys the solution in a seamless manner. It creates a backup of files that this solution changes, copies the solution files, and restarts the services. The following screenshot describes the command to deploy the solution on the StoreFront server:


      • The ApplyUICustomization action applies a customization on the store UI so that you don’t see the Already installed and Use light version options. This action enforces detection of the native Citrix Workspace app in the browser, and ensures that you bypass the blocked or unsupported scenarios.

        UI customization

      • The RemoveUICustomization action undoes the action of ApplyUICustomization and the Already Installed and Use light version options appear again.

    • -StoreName: Name of the store for which the action must be taken. This parameter is mandatory, and it must be passed along with the Deploy action.
    • -BackupDir: Parameter that can be passed with the Deploy action to create a backup at the required directory. If not passed, the backup is created on the desktop. This is an optional parameter.


If there are any existing customizations in StoreCustomization_Input.dll or StoreCustomization_Launch.dll, deploying this solution overrides them.

The App Protection enabled apps and desktops will only enumerate after deploying the customizations. Without the deployment, the apps and desktops don’t enumerate.

End user experience of hybrid launch for protected resources

  1. After the deployment of the solution by the admin on the StoreFront server, sign in to your store on the client side. Then access StoreFront using the URL in a web browser.

  2. To see if the Citrix Workspace app is successfully detected in the browser, check the Current status in your Account Settings.

    Current Status

  3. After the successful detection of the Citrix Workspace app, you can see and launch all the virtual apps and desktops that are App Protection enabled.

Enable tracing on StoreFront

You can enable tracing on StoreFront to collect logs. The tracing feature writes detailed information to the trace. This trace can be used to verify whether the configured NetScaler Gateway session policy labels are passed down to the store properly. The default location for trace dumps on the StoreFront server is C:\Program Files\Citrix\Receiver StoreFront\Admin\trace.

To enable tracing and set the trace level, use the PowerShell script SetDSStoreCustomizationTraceLevel.ps1. This script is supplied with the public StoreFront customization SDK found here. The script takes the following parameters:

  • SiteId: IIS Site ID where the store is deployed
  • VirtualPath: Virtual path to the store
  • TraceLevel: Sets the trace levels, which are Error, Info, Off, Verbose, and Warning

Run the following PowerShell commands to know the SiteId and VirtualPath of the store: cd 'c:\program files\Citrix\Receiver Storefront\Scripts'. .\ImportModules.ps1 Get-DSStoreFeatureInstances

Use the SiteId and VirtualPath retrieved from the commands while running the PowerShell script SetDSStoreCustomizationTraceLevel.ps1.


When you launch the App Protection enabled sessions, you’re sometimes faced with the following error:


The possible reasons for this error are as follows:

  • The apps and desktops are configured to open in a browser.

    Troubleshooting 1

    You face this scenario if you clicked Use light version during the Citrix Workspace app detection, as shown in the following screen:


  • The browser doesn’t detect the Citrix Workspace app.

    Troubleshooting 2

    You face this scenario if you clicked Already installed during the Citrix Workspace app detection, as shown in the following screen:


Solution: To correct the preceding scenarios, and launch the App Protection enabled sessions, click Change Citrix Workspace App in Account Settings, and wait for the Citrix Workspace app to be detected.


The Citrix Workspace app detection is mandatory to launch the App Protection enabled sessions. To avoid failures during hybrid launches for protected sessions, the StoreFront admins can use the ApplyUICustomization action of the deploy-solution.ps1 command and hide the Use light version and Already installed options.

App Protection for hybrid launch for StoreFront