Configure Anti-keylogging and Anti-screen capture

You can configure Anti-keylogging and Anti-screen capture for the following:

Configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in

You can configure Anti-keylogging and Anti-screen capture for authentication and self-service plug-in using the following methods:

Configuration method Citrix Workspace app for Windows Citrix Workspace app for Mac Citrix Workspace app for Linux Citrix Workspace app for iOS Citrix Workspace app for Android
Using Group Policy Object Yes No No No No
Using Global App Configuration service Yes Yes No Yes Yes
Using AuthManConfig.xml No No Yes No No

Using Group Policy Object

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace.
  3. Depending on whether you’re configuring App Protection for an authentication manager, or self-service plug-in, use one of the following steps:
    • Authentication manager

      To configure anti-keylogging and anti-screen-capturing for the authentication manager, select User authentication > Manage App Protection policy.

    • Self-service plug-in interface

      To configure anti-keylogging and anti-screen capturing for the self-service plug-in interface, select Self Service > Manage App Protection policy.

  4. Select one or both the following options:
    • Anti-key logging: Prevents keyloggers from capturing keystrokes.
    • Anti-screen capturing: Prevents users from taking screenshots and sharing their screen.
  5. Click Apply and OK.

Expected Behavior:

The expected behavior depends upon the method by which you access the StoreFront that has the protected resources.

Using Global App Configuration service UI

Starting with Citrix Workspace app for Windows 2302 or Citrix Workspace app for Windows 2301 versions, Citrix Workspace app allows you to configure App Protection for authentication screens and self-service plug-in using Global App Configuration service (GACS).

If you enable the anti-keylogging and the anti-screen capturing functionality using the GACS, they’re applicable to both authentication and self-service plug-in screens.

Note:

  • Configuring anti-keylogging or anti-screen capture for authentication and self-service plug-in using GACS is applicable for Citrix Workspace app for Windows and Citrix Workspace app for Mac. It isn’t applicable for Citrix Workspace app for Linux.
  • The GACS configurations don’t apply for Virtual App and Desktops, and web and SaaS apps. These resources continue to be controlled using the Delivery Controller and Citrix Secure Private Access.
  • Starting with the Citrix Workspace app for Mac 2311 version, you can configure App Protection for the Authentication and Self-Service plug-in using the Global App Configuration service UI for both cloud stores and on-premises. However, if you’re using Citrix Workspace app for Mac earlier than the 2311 version, then you can configure it only for cloud stores.

Administrators can configure App Protection using the Workspace Configuration UI:

  1. Sign in to your Citrix Cloud account and select Workspace Configuration.

    Workspace Configuration

  2. Select App Configuration > Security and Authentication > App Protection.

    App configuration

  3. Click Anti Screen Capture and then select the relevant Operating System (Windows or Mac).

  4. Click the Enabled toggle button and then click Publish Drafts.

    Enable anti-screen and key log

  5. Click Anti Key Logging and then select the relevant Operating System (Windows or Mac).

  6. Click the Enabled toggle button and then click Publish Drafts.

    Enable anti-screen and key log

  7. In the Publish Settings dialog box, click Yes.

    Publish settings

Using Global App Configuration service API

The administrators can use the API to configure these App Protection features. The settings are as follows:

  • Setting to enable or disable anti-screen capturing:

    “name”: “enable anti screen capture for auth and ssp” “value”: “true” or “false”

  • Setting to enable or disable anti-keylogging:

    “name”: “enable anti key-logging for auth and ssp” “value”: “true” or “false”

Example: Following is a sample JSON file to enable anti-screen capture and anti-keylogging features for Citrix Workspace app in GACS:

{

          "category": "App Protection",

          "userOverride": true,

          "assignedTo": [

            "AllUsersNoAuthentication"

          ],

          "settings": [

            {

              "name": "enable anti screen capture for auth and ssp",

              "value": true

            },

            {

              "name": "enable anti key-logging for auth and ssp",

              "value": true

            }

          ]}

Using AuthManConfig.xml for an authentication manager

Navigate to $ICAROOT/config/AuthManConfig.xml and edit the file as follows:


/opt/Citrix/ICAClient/config$ cat AuthManConfig.xml | grep -i authmananti -A 1
    <key>AuthManAntiScreenCaptureEnabled</key>
    <value>true</value>
    <key>AuthManAntiKeyLoggingEnabled</key>
    <value>true </value>

<!--NeedCopy-->

Using AuthManConfig.xml for the Self-Service Plug-in interface

Navigate to $ICAROOT/config/AuthManConfig.xml and edit the file as follows:


/opt/Citrix/ICAClient/config$ cat AuthManConfig.xml | grep -i protection -A 4
<!-- Selfservice App Protection configuration -->
    <Selfservice>
      <AntiScreenCaptureEnabled>true</AntiScreenCaptureEnabled>
      <AntiKeyLoggingEnabled>true</AntiKeyLoggingEnabled>
    </Selfservice>

<!--NeedCopy-->

Configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops

Two policies provide anti-keylogging and anti-screen capturing functionality in a session. You can configure Anti-keylogging and Anti-screen capture for Virtual Apps and Desktops as follows:

Note:

From version 2103, Citrix DaaS supports App Protection with StoreFront and Workspace.

Using Web Studio

To configure Anti-keylogging and Anti-screen capture for Citrix Virtual Apps or Desktops through Web Studio, do the following steps:

  1. App Protection requires XML trust. To enable XML trust, do the following steps:

    1. Sign in to your Citrix DaaS account and go to Manage > Settings > Enable XML trust.

      Enable XML Trust

    2. Turn on the Enable XML trust toggle.

  2. To choose an App Protection method for a delivery group, do the following steps:

    1. In Citrix DaaS, go to Manage > Delivery Groups.

    2. Select a delivery group and then click Edit in the action bar.

      Edit delivery group

    3. Click App Protection and then select Anti-keylogging and Anti-screen capturing checkboxes.

      Enable Anti-keylogging and Anti-screen capturing through Web Studio

    4. Click Save.

Using PowerShell

Note:

In a Citrix DaaS environment, use the cmdlets in the Citrix Virtual Apps and Desktops Remote PowerShell SDK on any machine (apart from Citrix Cloud Connector machines) to issue the commands in this section.

Enable the following properties for the App Protection Delivery Group using the Citrix Virtual Apps and Desktops SDK on any installed Delivery Controller machine or on a machine with a stand-alone Studio installed that has the FMA PowerShell snap-ins installed.

  • AppProtectionKeyLoggingRequired: True
  • AppProtectionScreenCaptureRequired: True

You can enable each of these policies individually per Delivery Group. For example, you can configure keylogging protection only for DG1, and screen capture protection only for DG2. You can enable both policies for DG3.

Example:

To enable both policies for a Delivery Group naming DG3, run the following command on any Delivery Controller in the site:

Set-BrokerDesktopGroup -Name DG3 -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true

To validate the settings, run this cmdlet:

Get-BrokerDesktopGroup -Property Name, AppProtectionKeyLoggingRequired, AppProtectionScreenCaptureRequired | Format-Table -AutoSize

Also, enable XML trust:

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Make sure that you secure the network between the StoreFront and the Broker. For more information, see Knowledge Center articles CTX236929 and Securing the XenApp and XenDesktop XML Service.

Configure Anti-keylogging and Anti-screen capture for Web and SaaS apps

Web and SaaS apps open in the Citrix Enterprise Browser for Citrix Workspace app for Windows and Citrix Workspace app for Mac. If the apps are configured to have the App Protection policies via the Citrix Secure Private Access, then App Protection is applied on a per tab basis.

Configure App Protection for Web and SaaS apps using the following:

Configure Anti-keylogging and Anti-screen capture