Contextual App Protection for StoreFront

Contextual App Protection provides the granular flexibility to apply the App Protection policies conditionally for a subset of users - based on users, their device, and the network posture.

Implementing Contextual App Protection

You can implement contextual App Protection using the connection filters defined in the Broker Access policy rule. The Broker Access policies define the rules controlling a user’s access to delivery groups. The policy comprises a set of rules. Each rule relates to a single delivery group, and has a set of connection filters and access right controls.

Users gain access to a delivery group when their connection’s details match the connection filters of one or more rules in the Broker Access policy. Users don’t have access to any desktop group within a site by default. You can create more Broker Access policies based on requirements. Multiple rules can apply to the same delivery group. For more information, see New-BrokerAccessPolicyRule.

The following parameters in the Broker Access policy rule provide the flexibility to enable App Protection contextually if the user’s connection matches the connection filters defined in the access policy rule:

  • AppProtectionKeyLoggingRequired
  • AppProtectionScreenCaptureRequired

Use the Smart Access filters referenced in the Broker Access policies to refine the connection filters. For information on configuring Smart Access filters, see this CTX227055. Refer to the following scenarios to understand how to use the Smart Access policies to set up Contextual App Protection.


If App Protection is enabled on the Delivery Group, then Contextual App Protection cannot be applied by default. Disable App Protection on the Delivery Group by using the following command:

Set-BrokerDesktopGroup -Name "Admin Desktop" -AppProtectionKeyLoggingRequired $false -AppProtectionScreenCaptureRequired $false


To enable Contextual App Protection for StoreFront, make sure that you meet the requirements mentioned in the Prerequisites section.

Enable Contextual App Protection

  1. Download the Contextual App Protection policies (feature table) for your Citrix Virtual Apps and Desktops version from the Citrix Downloads page.

  2. Run the following PowerShell command in the delivery controller:

    asnp Citrix*
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
  3. Run the following command to enable contextual App Protection in the delivery controller:

    Import-ConfigFeatureTable <path to the downloaded feature table>

    For example,


Contextual App Protection scenarios

Following are some of the scenarios about how you can enable or disable Contextual App Protection:

Contextual App Protection for StoreFront