Configure App Protection
App Protection provides enhanced security when you use the Citrix Workspace app. The feature restricts the ability of clients to be compromised with keylogging and screen-capturing malware. App Protection prevents exfiltration of confidential information, such as user credentials and sensitive information displayed on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information.
This article explains how to configure App Protection on Citrix Workspace app on different platforms.
App Protection is available on Citrix Workspace app for the following platforms:
Disclaimer
App Protection policies filter the access to required functions of the underlying operating system. Specific API calls are required to capture screen or keyboard presses. App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.
Citrix Workspace app for Windows
Prerequisites
- Citrix Virtual Apps and Desktops Version 1912 LTSR or later.
- StoreFront version 1912 LTSR or Workspace.
- Citrix Workspace app version 2203.1 LTSR or later.
- A valid App Protection license
-
Starting from Citrix Workspace app version 2212, the App Protection component is installed by default during the Citrix Workspace app installation.
The Enable App Protection checkbox that appears during the installation is replaced with Start App Protection after installation.
-
For Citrix Workspace app versions before 2311:
-
From Citrix Workspace app version 2311 onwards:
When you select this checkbox, App Protection starts immediately after the installation.
Note:
If you don’t enable this checkbox, App Protection automatically starts upon the first start of a protected resource or component for customers who are entitled to App Protection.
-
Configure
Configure the following App Protection features for Citrix Workspace app for Windows:
-
Anti-keylogging and Anti-screen capture:
- For Virtual Apps and Desktops, see Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops.
- For Web and SaaS Apps, see Configure Anti-keylogging and Anti-screen capture for Web and SaaS Apps.
- For Authentication and Self-Service Plug-in:
- Using Global App Configuration service UI, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using Global App Configuration service UI
- Using Group Policy Object, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using Group Policy Object
- Using API, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using GACS API
- To configure the Anti-DLL Injection feature, see Configure Anti-DLL Injection feature.
- To configure App Protection Policy Tampering, see Configure App Protection Policy Tampering.
- To configure App Protection Posture Check, see Configure App Protection Posture Check.
- To enable Block DoubleHop Launch setting, see Block DoubleHop Launch.
Limitations
- This feature is supported only on desktop operating systems such as Windows 11 and Windows 10.
- Starting with Version 2006.1, Citrix Workspace app isn’t supported on Windows 7. So, App Protection doesn’t work on Windows 7. For more information, see Deprecation.
- This feature isn’t supported over Remote Desktop Protocol (RDP).
Command-line interface
You can start the App Protection component using the /startappprotection command line parameter. However, the previous /includeappprotection switch is deprecated.
The following table provides information on screens protected depending on deployment:
| App Protection deployment | Screens protected | Screens not protected |
|---|---|---|
| Included in Citrix Workspace app | Self-service plug-in and Authentication manager / User credentials dialog | Connection Center, Devices, Citrix Workspace app error messages, Auto client reconnect, Add account |
| Configured on the Controller | ICA session screen (both apps and desktops) | Connection Center, Devices, Citrix Workspace app error messages, Auto client reconnect, Add account |
When you’re taking a screenshot, only the protected window is blacked out. You can take a screenshot of the area outside the protected window. However, if you’re using the PrtScr key to capture a screenshot on a Windows 10 device, you must minimize the protected window.
Previously, anti-screen capture and anti-keylogging capabilities were enforced by default for Citrix authentication and Citrix Workspace app screens. However, starting from 2212, these capabilities are disabled by default and need to be configured using the Group Policy Object.
Note:
This GPO policy isn’t applicable for ICA and SaaS sessions. The ICA and SaaS sessions continue to be controlled using the Delivery Controller and Citrix Secure Private Access.
App Protection enhancement:
From Citrix Workspace app for Windows 2305 and later, anti-keylogging is enabled on the authentication and self-service plug-in screens if one of the following criteria is met:
- You have enabled App Protection using one of the following:
- Select the Start App Protection checkbox during installation.
- Start the App Protection component using the /startappprotection command line parameter.
- If you haven’t selected the Start App Protection checkbox or used the /startappprotection command line parameter during the installation, then the anti-keylogging protection is enabled after launching the first protected resource.
Note:
The Global App Configuration service and Group policy objects settings override the preceding behavior. For example, if you’ve disabled the GACS or GPO policy for these screens, then the anti-keylogging isn’t enabled on the authentication and SSP screens.
Citrix Workspace app for Linux
Starting with version 2108, the App Protection feature is now fully functional. This feature supports the Virtual Apps and Desktops, and is enabled by default. However, you must configure the App Protection feature in the AuthManConfig.xml file to enable it for the authentication manager and the self-service plug-in interfaces.
Prerequisite
App Protection works best with the following operating systems along with the Gnome Display Manager:
- 64-bit Ubuntu 22.04, Ubuntu 20.04, and Ubuntu 18.04
- 64-bit Debian 10 and Debian 9
- 64-bit CentOS 7
- 64-bit RHEL 7
- ARMHF 32-bit Raspberry Pi OS (Based on Debian 10 (buster))
- ARM64 Raspberry Pi OS (Based on Debian 11 (bullseye))
Note:
If you’re using Citrix Workspace app earlier than version 2204, the App Protection feature does not support the operating systems that use
glibc2.34 or later.If you install the Citrix Workspace app with App Protection feature enabled on the OS that uses
glibc2.34 or later, the OS boot might fail on restarting the system. To recover from the OS boot failure, do one of the following:
- Reinstall the OS.
- Go to Recovery mode of the OS and uninstall the Citrix Workspace app using the terminal.
- Boot through the live OS and remove the
rm -rf /etc/ld.so.preloadfile from the existing OS.
Installing the App Protection component
-
When you install the Citrix Workspace app using the tarball package, the following message appears: Do you want to install the App Protection component? Warning: You can’t disable this feature. To disable it, you must uninstall Citrix Workspace app. For more information, contact your system administrator. [default $INSTALLER_N]:
-
Enter Y to install the App Protection component. App Protection isn’t installed by default.
-
Restart your machine for the changes to reflect. App Protection works as expected only after you restart your machine.
Installing the App Protection component on RPM packages
Starting with Version 2104, App Protection is supported on the RPM version of Citrix Workspace app.
To install App Protection, do the following:
- Install Citrix Workspace app.
- Install the App Protection
ctxappprotection<version>.rpmpackage from the Citrix Workspace app installer. - Restart the system for the changes to reflect.
Installing the App Protection component on Debian packages
Starting with Version 2101, App Protection is supported on the Debian version of Citrix Workspace app.
To install the App Protection component, run the following command from the terminal before installing Citrix Workspace app:
export DEBIAN_FRONTEND="noninteractive"
sudo debconf-set-selections <<< "icaclient app_protection/install_app_protection select yes"
sudo debconf-show icaclient
* app_protection/install_app_protection: yes
sudo apt install -f ./icaclient_<version>._amd64.deb
<!--NeedCopy-->
Starting with Version 2106, Citrix Workspace app introduces an option to configure the anti-keylogging and anti-screen capturing functionalities separately for both the authentication manager and self-service plug-in interfaces.
Configure
Configure the following App Protection features for Citrix Workspace app for Linux:
- To configure Anti-keylogging and Anti-screen capture for Authentication screen, see Configure using AuthManConfig.xml for authentication manager.
- To configure Anti-keylogging and Anti-screen capture for the Self-Service Plug-in screen, see Configure using AuthManConfig.xml for the Self-Service Plug-in interface.
- To configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops, see Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops.
- To configure App Protection Policy Tampering, see Configure App Protection Policy Tampering.
- To configure App Protection Posture Check, see Configure App Protection Posture Check.
Citrix Workspace app for Mac
Configure the following App Protection features for Citrix Workspace app for Mac:
- For configuring Anti-keylogging and Anti-screen capture for Authentication and Self-Service Plug-in using Global App Configuration service UI, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using Global App Configuration service UI.
- For configuring Anti-keylogging and Anti-screen capture for Authentication and Self-Service Plug-in using API, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using GACS API.
- To configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops, see Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops.
- To configure Anti-keylogging and Anti-screen capture for Web and SaaS Apps, see Configure Anti-keylogging and Anti-screen capture for Web and SaaS Apps.
- To configure App Protection Policy Tampering, see Configure App Protection Policy Tampering.
- To configure App Protection Posture Check, see Configure App Protection Posture Check.
Recommendation
App Protection policies are primarily focused on enhancing the security and protection of an endpoint. Review all other security recommendations and policies for your environment. You can use a Security and Control policy template for a recommended configuration in environments with low tolerance to risk. For more information, see Policy templates.