Configure App Protection
App Protection provides enhanced security when you use the Citrix Workspace app. The feature restricts the ability of clients to be compromised with keylogging and screen-capturing malware. App Protection prevents exfiltration of confidential information, such as user credentials and sensitive information displayed on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information.
This article explains how to configure App Protection on Citrix Workspace app on different platforms.
App Protection is available on Citrix Workspace app for the following platforms:
- Citrix Workspace app for Windows
- Citrix Workspace app for Mac
- Citrix Workspace app for Linux
- Citrix Workspace app for iOS
- Citrix Workspace app for Android
Disclaimer
App Protection policies filter the access to required functions of the underlying operating system. Specific API calls are required to capture screen or keyboard presses. App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.
Citrix Workspace app for Windows
Prerequisites
- Citrix Virtual Apps and Desktops Version 1912 LTSR or later.
- StoreFront version 1912 LTSR or Workspace.
- Citrix Workspace app version 2203.1 LTSR or later.
- A valid App Protection license
-
Starting from Citrix Workspace app version 2212, the App Protection component is installed by default during the Citrix Workspace app installation.
The Enable App Protection checkbox that appears during the installation is replaced with Start App Protection after installation.
-
For Citrix Workspace app versions before 2311:
-
From Citrix Workspace app version 2311 onwards:
When you select this checkbox, App Protection starts immediately after the installation.
Note:
If you don’t enable this checkbox, App Protection automatically starts upon the first start of a protected resource or component for customers who are entitled to App Protection.
-
Configure
Configure the following App Protection features for Citrix Workspace app for Windows:
-
Anti-keylogging and Anti-screen capture:
- For Virtual Apps and Desktops, see Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops.
- For Web and SaaS Apps, see Configure Anti-keylogging and Anti-screen capture for Web and SaaS Apps.
- For Authentication and Self-Service Plug-in:
- Using Global App Configuration service UI, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using Global App Configuration service UI
- Using Group Policy Object, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using Group Policy Object
- Using API, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using GACS API
- To configure the Anti-DLL Injection feature, see Configure Anti-DLL Injection feature.
- To configure App Protection Policy Tampering, see Configure App Protection Policy Tampering.
- To configure App Protection Posture Check, see Configure App Protection Posture Check.
- To enable Block DoubleHop Launch setting, see Block DoubleHop Launch.
Limitations
- This feature is supported only on desktop operating systems such as Windows 11 and Windows 10.
- Starting with Version 2006.1, Citrix Workspace app isn’t supported on Windows 7. So, App Protection doesn’t work on Windows 7. For more information, see Deprecation.
- This feature isn’t supported over Remote Desktop Protocol (RDP).
Command-line interface
You can start the App Protection component using the /startappprotection
command line parameter. However, the previous /includeappprotection
switch is deprecated.
The following table provides information on screens protected depending on deployment:
App Protection deployment | Screens protected | Screens not protected |
---|---|---|
Included in Citrix Workspace app | Self-service plug-in and Authentication manager / User credentials dialog | Connection Center, Devices, Citrix Workspace app error messages, Auto client reconnect, Add account |
Configured on the Controller | ICA session screen (both apps and desktops) | Connection Center, Devices, Citrix Workspace app error messages, Auto client reconnect, Add account |
When you’re taking a screenshot, only the protected window is blacked out. You can take a screenshot of the area outside the protected window. However, if you’re using the PrtScr key to capture a screenshot on a Windows 10 device, you must minimize the protected window.
Previously, anti-screen capture and anti-keylogging capabilities were enforced by default for Citrix authentication and Citrix Workspace app screens. However, starting from 2212, these capabilities are disabled by default and need to be configured using the Group Policy Object.
Note:
This GPO policy isn’t applicable for ICA and SaaS sessions. The ICA and SaaS sessions continue to be controlled using the Delivery Controller and Citrix Secure Private Access.
App Protection enhancement:
From Citrix Workspace app for Windows 2305 and later, anti-keylogging is enabled on the authentication and self-service plug-in screens if one of the following criteria is met:
- You have enabled App Protection using one of the following:
- Select the Start App Protection checkbox during installation.
- Start the App Protection component using the /startappprotection command line parameter.
- If you haven’t selected the Start App Protection checkbox or used the /startappprotection command line parameter during the installation, then the anti-keylogging protection is enabled after launching the first protected resource.
Note:
The Global App Configuration service and Group policy objects settings override the preceding behavior. For example, if you’ve disabled the GACS or GPO policy for these screens, then the anti-keylogging isn’t enabled on the authentication and SSP screens.
Citrix Workspace app for Linux
Starting with version 2108, the App Protection feature is now fully functional. This feature supports the Virtual Apps and Desktops, and is enabled by default. However, you must configure the App Protection feature in the AuthManConfig.xml
file to enable it for the authentication manager and the self-service plug-in interfaces.
Prerequisite
App Protection works best with the following operating systems along with the Gnome Display Manager:
- 64-bit Ubuntu 22.04, Ubuntu 20.04, and Ubuntu 18.04
- 64-bit Debian 10 and Debian 9
- 64-bit CentOS 7
- 64-bit RHEL 7
- ARMHF 32-bit Raspberry Pi OS (Based on Debian 10 (buster))
- ARM64 Raspberry Pi OS (Based on Debian 11 (bullseye))
Note:
If you’re using Citrix Workspace app earlier than version 2204, the App Protection feature does not support the operating systems that use
glibc
2.34 or later.If you install the Citrix Workspace app with App Protection feature enabled on the OS that uses
glibc
2.34 or later, the OS boot might fail on restarting the system. To recover from the OS boot failure, do one of the following:
- Reinstall the OS.
- Go to Recovery mode of the OS and uninstall the Citrix Workspace app using the terminal.
- Boot through the live OS and remove the
rm -rf /etc/ld.so.preload
file from the existing OS.
Installing the App Protection component
-
When you install the Citrix Workspace app using the tarball package, the following message appears: Do you want to install the App Protection component? Warning: You can’t disable this feature. To disable it, you must uninstall Citrix Workspace app. For more information, contact your system administrator. [default $INSTALLER_N]:
-
Enter Y to install the App Protection component. App Protection isn’t installed by default.
-
Restart your machine for the changes to reflect. App Protection works as expected only after you restart your machine.
Installing the App Protection component on RPM packages
Starting with Version 2104, App Protection is supported on the RPM version of Citrix Workspace app.
To install App Protection, do the following:
- Install Citrix Workspace app.
- Install the App Protection
ctxappprotection<version>.rpm
package from the Citrix Workspace app installer. - Restart the system for the changes to reflect.
Installing the App Protection component on Debian packages
Starting with Version 2101, App Protection is supported on the Debian version of Citrix Workspace app.
To install the App Protection component, run the following command from the terminal before installing Citrix Workspace app:
export DEBIAN_FRONTEND="noninteractive"
sudo debconf-set-selections <<< "icaclient app_protection/install_app_protection select yes"
sudo debconf-show icaclient
* app_protection/install_app_protection: yes
sudo apt install -f ./icaclient_<version>._amd64.deb
<!--NeedCopy-->
Starting with Version 2106, Citrix Workspace app introduces an option to configure the anti-keylogging and anti-screen capturing functionalities separately for both the authentication manager and self-service plug-in interfaces.
Configure
Configure the following App Protection features for Citrix Workspace app for Linux:
- To configure Anti-keylogging and Anti-screen capture for Authentication screen, see Configure using AuthManConfig.xml for authentication manager.
- To configure Anti-keylogging and Anti-screen capture for the Self-Service Plug-in screen, see Configure using AuthManConfig.xml for the Self-Service Plug-in interface.
- To configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops, see Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops.
- To configure App Protection Policy Tampering, see Configure App Protection Policy Tampering.
- To configure App Protection Posture Check, see Configure App Protection Posture Check.
Upgrade
Note:
AppProtection service does not currently support upgrades. If it is installed alongside the Citrix Workspace, upgrading the Citrix Workspace might break the AppProtection service. To prevent any issues during the upgrade, we recommend uninstalling the old version of Citrix Workspace and restart the machine before installing the new version. For more information, see Install, Uninstall, and Update
Citrix Workspace app for Mac
Configure the following App Protection features for Citrix Workspace app for Mac:
- For configuring Anti-keylogging and Anti-screen capture for Authentication and Self-Service Plug-in using Global App Configuration service UI, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using Global App Configuration service UI.
- For configuring Anti-keylogging and Anti-screen capture for Authentication and Self-Service Plug-in using API, see Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using GACS API.
- To configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops, see Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops.
- To configure Anti-keylogging and Anti-screen capture for Web and SaaS Apps, see Configure Anti-keylogging and Anti-screen capture for Web and SaaS Apps.
- To configure App Protection Policy Tampering, see Configure App Protection Policy Tampering.
- To configure App Protection Posture Check, see Configure App Protection Posture Check.
Citrix Workspace app for iOS
Anti-keylogging
Prerequisites
- Citrix Virtual Apps and Desktops Version 1912 LTSR or later.
- StoreFront version 1912 LTSR or Workspace.
- Citrix Workspace app for iOS version 24.9.0 or later.
- A valid App Protection license.
Disclaimer:
App Protection policies work by filtering access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). This means that App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys emerge. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.
Configuration
You can configure the Anti-keylogging and Anti-screen capture features for the following for Citrix Workspace app for iOS:
-
Citrix Virtual Apps and Desktops - The Anti-keylogging and Anti-screen capture features for Citrix Virtual Apps and Desktops can be configured in DDC. The App Protection policy is applied to a delivery group in DDC. For more information, see Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops.
-
Web and SaaS apps - The Anti-keylogging and Anti-screen capture features for Web and SaaS apps can be configured through Secure Private Access policies. For more information, see Configure Anti-keylogging and Anti-screen capture for Web and SaaS Apps.
-
Authentication screen - The Anti-keylogging and Anti-screen capture features for the authentication screen can be configured through the Global App Configuration service and using the Unified Endpoint Management solutions.
Using Global App Configuration service
You can configure the Anti-screen capture feature for the authentication screen using:
- Using UI
- Using API
Using UI:
Starting with Citrix Workspace app for iOS 24.9.0 version, Citrix Workspace app allows you to configure App Protection for authentication screens using Global App Configuration service (GACS).
If you enable the anti-screen capturing functionality using the GACS, they’re applicable to the authentication screen.
Administrators can configure App Protection using the Workspace Configuration UI:
-
Sign in to your Citrix Cloud account and select Workspace Configuration.
-
Select App Configuration > Security and Authentication > App Protection.
-
Click Anti Key Logging and then select the iOS Operating System.
-
Click Anti Screen Capture and then select the iOS Operating System.
-
Click the Enabled toggle button and then click Publish Drafts.
-
In the Publish Settings dialog box, click Yes.
Using API:
The administrators can use the API to configure the App Protection features. The settings are as follows for Citrix Workspace app for iOS:
Setting to enable or disable anti-screen capturing:
“name”: “enable anti screen capture for auth ” “value”: “true” or “false”
<!--NeedCopy-->
Setting to enable or disable anti-keylogging:
“name”: “enable anti key-logging for auth ” “value”: “true” or “false”
<!--NeedCopy-->
Example:
Following is a sample JSON file to enable anti-screen capture and anti-keylogging features for Citrix Workspace app in GACS:
{
"category": "App Protection",
"userOverride": false,
"assignedTo": [
"AllUsersNoAuthentication"
],
"settings": [{
"name": "Enable Anti Screen Capture For Auth",
"value": "true"
},
{
"name": "Enable Anti Key Logging For Auth",
"value": "true"
}]
}
<!--NeedCopy-->
Using Unified Endpoint Management solutions
Starting with the 24.9.0 version of Citrix Workspace app for iOS, administrators can enable App Protection feature for the authentication screen. Administrators can configure this feature using an AppConfig-based key-value pair.
- For enabling anti-screen capture:
- Key:
enableAntiScreenCaptureForAuth
- value type: Boolean
- value:
- If set to true, the anti-screen capture feature is enabled.
- If set to false, the anti-screen capture feature is enabled.
- Key:
- For enabling anti-keylogging:
- Key:
enableAntiKeyLoggingForAuth
- value type: Boolean
- value:
- If set to true, the anti-keylogging feature is enabled.
- If set to false, the anti-keylogging feature is enabled.
- Key:
Steps to disable custom keyboards
When the anti-keylogging feature is enabled and the Use Custom keyboards toggle switch is turned on, you can’t open virtual apps, virtual desktops, web apps, or SaaS apps and the following alert message appears:
To disable the custom keyboard, do the following:
-
Click Keyboard Options in the preceding alert dialog box.
-
Clear Use Custom keyboards from the store settings. The Disable Custom Keyboards dialog box appears.
-
Click Exit in the Disable Custom Keyboards dialog box. The Exiting dialog box appears.
-
Click OK. Citrix Workspace app exits and then restarts automatically to reflect the changes.
Limitations
-
Keylogging prevention:
Keylogging prevention is only effective through soft keyboards. Hardware keyboards are not protected by the anti-keylogging feature.
-
Anti-keylogging for Authentication Screen:
There might be conflicts due to differing policies when multiple stores are involved.
-
System browsers:
The anti-keylogging feature for the authentication screen is not supported when using system browsers.
-
Web interface authentication screen:
Anti-screen capture and anti-keylogging features aren’t supported on the web interface authentication screen.
Anti-screen capture
Starting with version 24.9.0 Citrix Workspace app for iOS, the following features are enabled:
Anti-screen capture support
This feature prevents unauthorized screen captures, recordings, QuickTime screen mirroring, screen sharing, and app switching. Anti-screen capture feature is available for authentication screen, web or SaaS apps, and Citrix Virtual Apps and Desktops. When you capture a screen, a custom message Screen Capture is disabled by your administrator for security reasons is shown in the capture media instead of the actual content displayed on the screen. Anti-screen capture protects against various forms of unauthorized screen access such as:
- Screenshot: Prevents screenshots from being taken.
- Screen recording: Blocks screen recording software.
- Screen mirroring: Disables mirroring of the screen to other devices.
- Screen share: Restricts screen sharing functionality.
-
App switcher: Prevents sensitive information from being visible in app switcher previews.
Anti-screen multi-monitor support
With this feature, App Protection extends its protection to all connected screens, ensuring that screenshots are protected on both the iPad and external monitors.
The external display is protected in all the three modes:
- Mirror: Allows you to mirror the display on the external monitor connected to the iPad. With anti-screen protection, both screens are protected, preventing unauthorized screenshots from capturing the content.
- Presentation: Allows you to present the desktop on an external monitor while using the iPad screen as a trackpad. Anti-screen protection ensures that both the content on the external monitor during presentations and the iPad’s display are protected.
- Extend: Allows you to display different views or screens on each display. Anti-screen protection extends to both the iPad and the external monitor, ensuring that the screenshots are protected.
Citrix Workspace app for Android
Prerequisites
- Citrix Virtual Apps and Desktops Version 1912 LTSR or later.
- StoreFront version 1912 LTSR or Workspace.
- Citrix Workspace app for Android version 24.7.0 or later.
- A valid App Protection license
Configuration
You can configure the Anti-screen capture feature for the following:
-
Citrix Virtual Apps and Desktops - The Anti-screen capture feature for Citrix Virtual Apps and Desktops can be configured in DDC. The App Protection policy is applied to a delivery group in DDC. For more information, see Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops.
-
Web and SaaS apps - The Anti-screen capture feature for Web and SaaS apps can be configured through Secure Private Access policies. For more information, see Configure Anti-screen capture for Web and SaaS Apps.
-
Authentication screen - The Anti-screen capture feature for the authentication screen can be configured through the Global App Configuration service and using the Unified Endpoint Management solutions.
Using Global App Configuration service
You can configure the Anti-screen capture feature for the authentication screen using:
- Using UI
- Using API
Using UI:
Citrix Workspace app allows you to configure App Protection for authentication screens using Global App Configuration service (GACS).
If you enable the anti-screen capturing functionality using the GACS, they’re applicable to the authentication screen.
Administrators can configure App Protection using the Workspace Configuration UI:
-
Sign in to your Citrix Cloud account and select Workspace Configuration.
-
Select App Configuration > Security and Authentication > App Protection.
-
Click Anti Screen Capture and then select the Android Operating System.
-
Click the Enabled toggle button and then click Publish Drafts.
-
In the Publish Settings dialog box, click Yes.
Using API:
The administrators can use the API to configure the App Protection feature. The setting to enable or disable anti-screen capturing for Citrix Workspace app for Android:
“name”: “enable anti screen capture for auth ” “value”: “true” or “false”
<!--NeedCopy-->
Example: Following is a sample JSON file to enable anti-screen capture feature for Citrix Workspace app in GACS:
{
"category": "App Protection",
"userOverride": false,
"assignedTo": [
"AllUsersNoAuthentication"
],
"settings": [{
"name": "Enable Anti Screen Capture For Auth",
"value": "true"
},
]
}
<!--NeedCopy-->
Using Unified Endpoint Management solutions
Starting with the 24.7.0 version of Citrix Workspace app for Android, administrators can enable the App Protection feature for the authentication screen. Administrators can configure this feature using an AppConfig-based key-value pair.
-
For enabling anti-screen capture:
- Key:
enableAntiScreenCaptureForAuth
- value type: Boolean
- value:
- If set to true, the anti-screen capture feature is enabled.
- If set to false, the anti-screen capture feature is disabled.
- Key:
Recommendation
App Protection policies are primarily focused on enhancing the security and protection of an endpoint. Review all other security recommendations and policies for your environment. You can use a Security and Control policy template for a recommended configuration in environments with low tolerance to risk. For more information, see Policy templates.