Configure App Protection
App Protection provides enhanced security when you use the Citrix Workspace app. The feature restricts the ability of clients to be compromised with keylogging and screen-capturing malware. App Protection prevents exfiltration of confidential information, such as user credentials and sensitive information displayed on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information.
This article explains how to configure App Protection on Citrix Workspace app on different platforms.
App Protection is available on Citrix Workspace app for the following platforms:
Disclaimer
App Protection policies filter the access to required functions of the underlying operating system. Specific API calls are required to capture screens or keyboard presses. App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.
Citrix Workspace app for Windows
Prerequisites
- Enable the App Protection feature on the Controller. For more information, see App Protection.
- Citrix Virtual Apps and Desktops Version 1912 LTSR or later.
- StoreFront version 1912 LTSR or Workspace.
- Citrix Workspace app version 2203.1 LTSR or later.
- A valid App Protection license
-
Starting from Citrix Workspace app version 2212, the App Protection component is installed by default during the Citrix Workspace app installation.
The Enable app protection check box that appears during the installation is replaced with Start App Protection after installation.
When you select this check box, App Protection starts immediately after the installation.
Note:
If you don’t enable this check box, App Protection automatically starts upon the first start of a protected resource or component for customers who are entitled to App Protection.
Limitations
- This feature is supported only on desktop operating systems such as Windows 11, Windows 10, Windows 8.1.
- Starting with Version 2006.1, Citrix Workspace app isn’t supported on Windows 7. So, App Protection doesn’t work on Windows 7. For more information, see Deprecation.
- This feature isn’t supported over Remote Desktop Protocol (RDP).
Protection of Virtual Apps and Desktops
Two policies provide anti-keylogging and anti-screen capturing functionality in a session. These policies must be configured using PowerShell. No GUI is available for the purpose.
Note:
From version 2103, Citrix DaaS supports App Protection with StoreFront and Workspace.
For information on App Protection configuration on Citrix Virtual Apps and Desktops and Citrix DaaS, see App protection.
Command-line interface
You can start the App Protection component using the /startappprotection command line parameter. However, the previous /includeappprotection switch is deprecated.
The following table provides information on screens protected depending on deployment:
| App Protection deployment | Screens protected | Screens not protected |
|---|---|---|
| Included in Citrix Workspace app | Self-service plug-in and Authentication manager / User credentials dialog | Connection Center, Devices, Citrix Workspace app error messages, Auto client reconnect, Add account |
| Configured on the Controller | ICA session screen (both apps and desktops) | Connection Center, Devices, Citrix Workspace app error messages, Auto client reconnect, Add account |
When you’re taking a screenshot, only the protected window is blacked out. You can take a screenshot of the area outside the protected window. However, if you’re using the PrtScr key to capture a screenshot on a Windows 10 device, you must minimize the protected window.
Previously, anti-screen capture and anti-keylogging capabilities were enforced by default for Citrix authentication and Citrix Workspace app screens. However, starting from 2212, these capabilities are disabled by default and need to be configured using the Group Policy Object.
Note:
This GPO policy isn’t applicable for ICA and SaaS sessions. The ICA and SaaS sessions continue to be controlled using the Delivery Controller and Citrix Secure Private Access.
App Protection enhancement:
From Citrix Workspace app for Windows 2305 and later, anti-keylogging is enabled on the authentication and self-service plug-in screens if one of the following criteria is met:
- You have enabled App Protection using one of the following:
- Select the Start App Protection check box during installation.
- Start the App Protection component using the /startappprotection command line parameter.
- If you haven’t selected the Start App Protection check box or used the /startappprotection command line parameter during the installation, then the anti-keylogging protection is enabled after launching the first protected resource.
Note:
The Global App Configuration service and Group policy objects settings override the preceding behavior. For example, if you’ve disabled the GACS or GPO policy for these screens, then the anti-keylogging is not enabled on the authentication and SSP screens.
Configure App Protection for Authentication and Self-Service plug-in
Using Global App Configuration service
Starting with 2302 release, Citrix Workspace app for Windows allows you to configure App Protection for authentication screens and self-service plug-in using Global App Configuration. Previously, you were able to configure these components only using the Group Policy Object.
If you enable the anti-keylogging and the anti-screen capturing functionality using the Global App Configuration service, they are applicable to both authentication and self-service plug-in.
Note:
The Global App Configuration service configurations don’t apply for Virtual App and Desktops, and web and SaaS apps. These resources continue to be controlled using the Delivery Controller and Citrix Secure Private Access. For more information see, the configure section of App Protection in the Citrix Virtual Apps and Desktops documentation.
Using Group Policy Object
- Open the Citrix Workspace app Group Policy Object administrative template by running
gpedit.msc. - Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace.
- Depending on whether you’re configuring App Protection for authentication manager, or self-service plug-in, use one of the following steps:
-
Authentication manager
To configure anti-keylogging and anti-screen-capturing for the authentication manager, select User authentication > Manage app protection policy.
-
Self-service plug-in interface
To configure anti-keylogging and anti-screen capturing for the self-service plug-in interface, select Self Service > Manage App Protection policy.
-
- Select one or both the following options:
- Anti-key logging: Prevents keyloggers from capturing keystrokes.
- Anti-screen capturing: Prevents users from taking screenshots and sharing their screen.
- Click Apply and OK.
Expected Behavior:
The expected behavior depends upon the method by which users access the StoreFront that has the protected resources.
Using API
The administrators can use the API to configure these App Protection features. The settings are as follows:
-
Setting to enable or disable anti-screen capturing:
“name”: “enable anti screen capture for auth and ssp” “value”: “true” or “false”
-
Setting to enable or disable anti-keylogging:
“name”: “enable anti key-logging for auth and ssp” “value”: “true” or “false”
Example JSON file to enable anti-screen capture and anti-keylogging features for Citrix Workspace app for Windows in GACS:
{
"category": "App Protection",
"userOverride": true,
"assignedTo": [
"AllUsersNoAuthentication"
],
"settings": [
{
"name": "enable anti screen capture for auth and ssp",
"value": true
},
{
"name": "enable anti key-logging for auth and ssp",
"value": true
}
]}
Uninstall App Protection
To uninstall App Protection, uninstall Citrix Workspace app from your system. Restart the system for the changes to reflect.
Citrix Workspace app for Linux
Starting with version 2108, the App Protection feature is now fully functional. This feature supports the Virtual Apps and Desktops, and is enabled by default. However, you must configure the App Protection feature in the AuthManConfig.xml file to enable it for the authentication manager and the self-service plug-in interfaces.
Prerequisite
App Protection works best with the following operating systems along with the Gnome Display Manager:
- 64-bit Ubuntu 22.04, Ubuntu 20.04, and Ubuntu 18.04
- 64-bit Debian 10 and Debian 9
- 64-bit CentOS 7
- 64-bit RHEL 7
- ARMHF 32-bit Raspberry Pi OS (Based on Debian 10 (buster))
- ARM64 Raspberry Pi OS (Based on Debian 11 (bullseye))
Note:
If you’re using Citrix Workspace app earlier than version 2204, the App Protection feature does not support the operating systems that use
glibc2.34 or later.If you install the Citrix Workspace app with App Protection feature enabled on OS that uses
glibc2.34 or later, the OS boot might fail on restarting the system. To recover from the OS boot failure, do one of the following:
- Reinstall the OS.
- Go to Recovery mode of the OS and uninstall the Citrix Workspace app using terminal.
- Boot through the live OS and remove the
rm -rf /etc/ld.so.preloadfile from the existing OS.
Installing the App Protection component
-
When you install the Citrix Workspace app using the tarball package, the following message appears: Do you want to install the App Protection component? Warning: You can’t disable this feature. To disable it, you must uninstall Citrix Workspace app. For more information, contact your system administrator. [default $INSTALLER_N]:
-
Enter Y to install the App Protection component. App Protection isn’t installed by default.
-
Restart your machine for the changes to reflect. App Protection works as expected only after you restart your machine.
Installing the App Protection component on RPM packages
Starting with Version 2104, App Protection is supported on the RPM version of Citrix Workspace app.
To install App Protection, do the following:
- Install Citrix Workspace app.
- Install the App Protection
ctxappprotection<version>.rpmpackage from the Citrix Workspace app installer. - Restart the system for the changes to reflect.
Installing the App Protection component on Debian packages
Starting with Version 2101, App Protection is supported on the Debian version of Citrix Workspace app.
To install the App Protection component, run the following command from the terminal before installing Citrix Workspace app:
export DEBIAN_FRONTEND="noninteractive"
sudo debconf-set-selections <<< "icaclient app_protection/install_app_protection select yes"
sudo debconf-show icaclient
* app_protection/install_app_protection: yes
sudo apt install -f ./icaclient_<version>._amd64.deb
<!--NeedCopy-->
Starting with Version 2106, Citrix Workspace app introduces an option to configure the anti-keylogging and anti-screen capturing functionalities separately for both the authentication manager and self-service plug-in interfaces.
Configuring App Protection for authentication manager
Navigate to $ICAROOT/config/AuthManConfig.xml and edit the file as follows:
/opt/Citrix/ICAClient/config$ cat AuthManConfig.xml | grep -i authmananti -A 1
<key>AuthManAntiScreenCaptureEnabled</key>
<value>true</value>
<key>AuthManAntiKeyLoggingEnabled</key>
<value>true </value>
<!--NeedCopy-->
Configuring App Protection for the Self-Service Plug-in interface
Navigate to $ICAROOT/config/AuthManConfig.xml and edit the file as follows:
/opt/Citrix/ICAClient/config$ cat AuthManConfig.xml | grep -i protection -A 4
<!-- Selfservice App Protection configuration -->
<Selfservice>
<AntiScreenCaptureEnabled>true</AntiScreenCaptureEnabled>
<AntiKeyLoggingEnabled>true</AntiKeyLoggingEnabled>
</Selfservice>
<!--NeedCopy-->
Citrix Workspace app for Mac
Starting with 2301 release, App Protection is enhanced to protect the Citrix Workspace app for Mac. This enhancement includes protecting the authentication screen and the screen that you see after signing into the Workspace app. You can configure App Protection using the Global App Configuration service.
Note:
- This feature is available only for customers on cloud stores.
- The Global App Configuration service configurations don’t apply for Virtual Apps and Desktops, and web and SaaS apps. These resources continue to be controlled using the Delivery Controller and Citrix Secure Private Access. For more information see the configure section.
Configuration using Global App Configuration service API
Administrators can use the API to configure the App Protection features. The settings are as follows:
-
To enable or disable anti-screen capture
“name”: “enable anti screen capture for auth and ssp”
“value”: “true” or “false”
-
To enable or disable anti-keylogging
“name”: “enable anti key-logging for auth and ssp”
“value”: “true” or “false”
Example of a JSON file to enable anti-screen capture and anti-keylogging features for Citrix Workspace app for Mac in Global App Configuration service:
{
"category": "App protection",
"userOverride": true,
"assignedTo": [
"AllUsersNoAuthentication"
],
"settings": [
{
"name": "enable anti screen capture for auth and ssp",
"value": true
},
{
"name": "enable anti key-logging for auth and ssp",
"value": true
}
]}
<!--NeedCopy-->
Configuration using the Global App Configuration service UI
Administrators can configure App Protection using the Workspace Configuration UI:
-
Sign into your Citrix Cloud account and select Workspace Configuration.
-
Select App Configuration (Beta).
-
Enable the anti-screen capture and anti-keylogging in the App Protection category for the Mac platform.
Licensing
The following section explains the different types of licenses available for App Protection based on the products, platforms, and use cases.
IT-managed VDI
For all editions of IT-managed VDI, App Protection is available as an add-on. For more information, see IT-managed VDI.
Citrix DaaS for Hyperscalers
Citrix DaaS
In the Feature Matrix for Citrix DaaS article, navigate to DaaS cloud Services > Security and Monitoring > App Protection.
Citrix Secure Private Access
App Protection is available as a standalone attachment for Secure Private Access. For more information, navigate to Citrix cloud services > Citrix Secure Private Access in the Service descriptions for Citrix Services article.
Citrix Universal subscription
App Protection is included with the following services:
- Citrix Universal Premium
- Citrix Universal Premium Plus
It is available as an add-on with the following editions:
- Citrix Universal Advanced
- Citrix Universal Advanced Plus
For more information, see this article.
Delivery Groups
Note:
In a Citrix DaaS environment, use the cmdlets in the Citrix Virtual Apps and Desktops Remote PowerShell SDK on any machine (apart from Citrix Cloud Connector machines) to issue the commands in this section.
Enable the following properties for the App Protection Delivery Group using the Citrix Virtual Apps and Desktops SDK on any installed Delivery Controller machine or on a machine with a stand-alone Studio installed that has the FMA PowerShell snap-ins installed.
- AppProtectionKeyLoggingRequired: True
- AppProtectionScreenCaptureRequired: True
You can enable each of these policies individually per Delivery Group. For example, you can configure keylogging protection only for DG1, and screen capture protection only for DG2. You can enable both policies for DG3.
Example
To enable both policies for a Delivery Group named DG3, run the following command on any Delivery Controller in the site:
Set-BrokerDesktopGroup -Name DG3 -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true
To validate the settings, run this cmdlet:
Get-BrokerDesktopGroup -Property Name, AppProtectionKeyLoggingRequired, AppProtectionScreenCaptureRequired | Format-Table -AutoSize
In addition, enable XML trust:
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
Ensure that you secure the network between the StoreFront and the Broker. For more information, see Knowledge Center articles CTX236929 and Securing the XenApp and XenDesktop XML Service.
Configure Policy Tampering Detection
Prerequisites
To configure Policy Tampering Detection feature, ensure that you have the following:
- For cloud deployments - Cloud Desktop Delivery Controller version 115 or later
- For on-premises deployments - Citrix Virtual Apps and Desktops version 2308 or later
- Windows Virtual Delivery Agent Installer version 2308 or later
- For Windows - Citrix Workspace App for Windows upcoming release
- For Mac - Citrix Workspace App for Mac 2308 or later
- For Linux - Citrix Workspace App for Linux 2308 or later
Note:
This feature will be available only after the release of the upcoming version of Citrix Virtual Apps and Desktops.
To enable Policy Tampering Detection, the admin must start the Citrix AppProtection Service on the TS/WS VDAs which are hosting the virtual apps and desktops configured with App Protection.
Perform one of the following steps to enable Policy Tampering Detection:
-
Using command prompt:
-
On the leftmost of the taskbar, click the Search
icon. Type cmd and then click Run as administrator. The Command Prompt screen appears. -
Run the following commands:
sc config ctxappprotectionsvc start=auto sc start ctxappprotectionsvc <!--NeedCopy-->
-
-
Using user interface:
-
On the leftmost of the taskbar, click the Search
icon. Type services.msc and press Enter. The Services screen appears.
-
Select Citrix AppProtection Service and then click Start.
-
Right-click Citrix AppProtection Service and then select Properties.
-
Select General > Startup type > Automatic and then click OK to ensure that the service starts automatically when the system starts.
-
Policy Tampering Detection feature is enabled successfully.
To detect and block prior versions of Citrix Workspace app that do not support Policy Tampering Detection, configure App Protection Posture Check. For more information about App Protection Posture Check, see App Protection Posture Check.
Configure Posture Check
To enable App Protection Posture Check, configure the new VDA Citrix Policy that is related to this feature.
Prerequisites
Ensure that you have the following:
- For cloud deployments - Cloud Desktop Delivery Controller version 115 or later
- For on-premises deployments - Citrix Virtual Apps and Desktops version 2308 or later
- Windows Virtual Delivery Agent Installer version 2308 or later
- For Windows - Citrix Workspace App for Windows upcoming release
- For Mac - Citrix Workspace App for Mac 2308 or later
- For Linux - Citrix Workspace App for Linux 2308 or later
Note:
This feature will be available only after the release of the upcoming version of Citrix Virtual Apps and Desktops.
Configure the new VDA Citrix Policy for Posture Check as follows:
Note:
This new VDA Citrix Policy can be deployed using both Citrix Studio and Web Studio. The following procedure is via Citrix Studio and you can use the same procedure for Web Studio also.
-
Open Citrix Studio app on Desktop Delivery Controller (DDC) for on-prem or Web Studio for Cloud deployments and then select Policies.
-
Under Actions, select Policies > Create Policy.
-
Click All Settings drop down menu and select App Protection under ICA.
-
Select Posture check for Citrix Workspace App and then click Select.
The Edit Setting window appears.
-
Uncheck the Use default value checkbox.
-
Click Add and enter the relevant values from the following:
- Windows-AntiScreencapture
- Windows-AntiKeylogging
- Linux-AntiScreencapture
- Linux-AntiKeylogging
- Mac-AntiScreencapture
- Mac-AntiKeylogging
For example, If you have added “Windows-AntiScreencapture” and “Windows-AntiKeylogging”, then the Citrix Workspace app for Windows that supports Posture Check and has these capabilities are allowed to connect to the VDA.
Note:
- Each entry must have only one capability.
- No space is allowed in the name of capability.
- Ensure that the values are spelt correctly. Incorrectly spelt values cause the session to terminate.
- Values that don’t have the prefix Windows-, Linux-, or Mac- will be ignored.
-
After adding all the required values, click OK.
-
Click Next.
-
Select Assign Policy to > Selected users and machine objects.
-
Select the required delivery groups where this policy must be deployed and then click OK.
-
Click Next.
-
Enter the policy name in the Policy name field and then select the Enable policy checkbox.
-
Click Finish.
Policy for posture check is created.
Expected behavior if App Protection Posture Check fails
- If the Posture Check VDA Citrix Policy is enabled and you are using a Citrix Workspace app version that does not support Posture Check feature, then the session is terminated without displaying any error message.
- If you are using Citrix Workspace app version that supports Posture Check feature, then the session is terminated displaying the following error messages respectively:
-
Windows:
-
Mac
-
Linux
-
Recommendation
App Protection policies are primarily focused on enhancing the security and protection of an endpoint. Review all other security recommendations and policies for your environment. You can use a Security and Control policy template for a recommended configuration in environments with low tolerance to risk. For more information, see Policy templates.