Contextual App Protection for Workspace

Contextual App Protection provides the granular flexibility to apply the App protection policies conditionally for a subset of users - based on users, their device, and the network posture.

Implementing contextual App Protection

You can implement contextual App Protection using the connection filters defined in the Broker Access policy rule. The Broker Access policies define the rules controlling a user’s access to desktop groups. The policy comprises a set of rules. Each rule relates to a single desktop group, and contains a set of connection filters and access right controls.

Users gain access to a desktop group when their connection’s details match the connection filters of one or more rules in the Broker Access policy. Users don’t have access to any desktop group within a site by default. You can create more Broker Access policies based on requirements. Multiple rules can apply to the same desktop group. For more information, see New-BrokerAssignmentPolicyRule.

The following parameters in the Broker Access policy rule provide the flexibility to enable App Protection contextually if the user’s connection matches the connection filters defined in the access policy rule:

• AppProtectionKeyLoggingRequired
• AppProtectionScreenCaptureRequired

Use the Smart Access policies referenced in the Broker Access policy rules to further refine the connection filters. Refer to the scenarios explained in this article to understand how to use the Smart Access policies to set up contextual App Protection.

Prerequisites

Ensure that you have the following:

• Citrix Virtual Apps and Desktops version 2109 or later
• Delivery Controller version 2109 or later
• Network location service (NLS) for scenarios based on user’s network location
• Licensing requirements -
  • App Protection for DaaS
  • Adaptive Authentication entitlement for scenarios with Smart Access policies.

Configuring contextual App Protection for Workspace - A few scenarios

Scenario 1: Enable App Protection for External users coming through the Access gateway

1. Configure Adaptive Authentication.

2. Configure adaptive access based on your network location,

   1. Log in to Citrix Cloud and navigate to Network Locations.

      

   2. Add network IP address or subnet to consider as Internal or Direct.
   3. Enter location_internal in the Location tags field.

   4. Choose the network connectivity type as Internal.

      

      If you log in to the Cloud store from a device whose IP address is configured as Internal, then the connection is considered as an Internal connection. All other network connections are considered External or Via Access Gateway connections.

3. Configure Broker Access policy rules

   For every delivery group, two broker access policies are created by default.  One policy is for connections coming through the Access gateway, and the other policy is for direct connections. You can enable App Protection only for the connections coming through the Access gateway, which is the external connections. Use the following steps to configure the Broker Access policy rules:

   1. Install Citrix PowerShell SDK and connect to the cloud API as explained in the Citrix blog Getting started with PowerShell automation for Citrix Cloud.

   2. Run the command Get-BrokerAccessPolicyRule.

      A list of all the broker access policies for all the delivery groups that are present is displayed.

   3. Find the DesktopGroupUid for the delivery group that you want to change.

      

   4. Use the DesktopGroupUid to fetch policies applicable to the delivery group. There are at least two policies, one where AllowedConnections has ViaAG and another which has NotViaAG.

      Get-BrokerAccessPolicyRule -DesktopGroupUid 7

      

      In the screenshot, you see two policies:

      • CAP_Desktops_AG - AllowedConnections with ViaAG, which represents the policy for external connections, or connections via the access gateway

      • CAP_Desktops_Direct – AllowedConnections with NotViaAG, which represents the policy for internal connections, or direct connections

4. Enable App Protection policies only for external connections and disable for internal connections using the following commands:

   • Set-BrokerAccessPolicyRule CAP_Desktops_AG -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true

   • Set-BrokerAccessPolicyRule CAP_Desktops_Direct -AppProtectionKeyLoggingRequired $false -AppProtectionScreenCaptureRequired $false

Verification

Log out of Citrix Workspace app and log back in. Launch the protected resource from an external connection. You see that the App Protection policies are applied. Launch the same resource from an internal connection, a device from within the IP Address range configured in the first step. You see that the App Protection policies are disabled.

Scenario 2: Enabling App Protection for Untrusted Devices

There are multiple definitions for trusted and untrusted devices. For this scenario, let’s consider a device trusted if the Endpoint analysis (EPA) scan is successful. All other devices are considered untrusted devices.

1. Configure Adaptive Authentication.

2. Create Authentication policy with EPA scan using the following steps:

   1. Log in to Citrix ADC Administration UI. In the Configuration tab, navigate to Security > AAA-Application Traffic -> Virtual Servers. Click the Virtual server that you want to use, auth_vs in this case.

      

   2. Navigate to Authentication Policies > Add Binding.

      

      

   3. Click Add to create a policy.

      

   4. Create an authentication policy based on the EPA scan. Enter the name of the policy. Select Action Type as EPA. Click Add to create action.

      

   5. The Create Authentication EPA Action screen appears.

      

      On the Create Authentication EPA Action screen, enter the following details and click Create to create an action.

      • Name of the EPA action. In this case EPA_Action_FileExists.
      • Default Group. Enter the default group name. If the EPA expression is True, users are added to the default group. The Default Group in this case is FileExists.
      • Quarantine Group. Enter the quarantine group name. If the EPA expression is False, users are added to the quarantine group.
      • Expression. Add the EPA expression that you want to scan. In this example, we consider the EPA scan to be successful if a particular file is present: sys.client_expr("file_0_C:\\\\epa\\\\avinstalled.txt")

   6. You return to the Create Authentication Policy screen. Enter true in the Expression editor, and click Create.

      

   7. You return to the Policy Binding screen. Do the following:

      • Select the Goto Expression as NEXT.
      • In the Select Next Factor section, select the LDAP policy that you’ve configured for the authentication in the Application Delivery Controller (ADC).

      • Click Bind.

        

3. Create a Smart Access Policy for trusted devices with the following steps:

   1. Select Smart Access Policies on the Authentication Virtual Server page of the auth_vs server.

      

   2. Click Add Binding.

      

   3. On the Policy Binding screen, click Add in the Select Policy section.

      

   4. The Create Authentication Smart Access Policy screen appears.

      

      On the Create Authentication Smart Access Policy screen, enter Name for the Smart Access Policy and click Add to create a Smart Access Profile.

   5. The Create Authentication Smart Access Profile screen appears. Add Name for the action. Enter trusted in Tags. The tag is later referenced in the Broker Access Policy rule for configuring. Click Create.

      

   6. You return to the Create Authentication Smart Access Policy screen. In the Expression section, enter the expression for which you want to push the tag. In this case, since the tag is pushed for trusted devices, enter AAA.USER.IS_MEMBER_OF(“FileExists”). Click Create.

      

   7. You return to the Policy Binding screen. Select the Goto Expression as End and Click Bind.

      

4. Create a Smart Access Policy for untrusted devices.

   1. Follow the instructions of the previous step, except sub steps v and vi.
   2. For the sub step v, on the Create Authentication Smart Access Profile screen, add Name for the action. Enter untrusted in Tags. The tag is later referenced in the Broker Access Policy rule for configuring. Click Create.
   3. For the sub step vi, in the Expression section of the Create Authentication Smart Access Policy screen, enter the expression for which you want to push the tag. In this case, since the tag is pushed for untrusted devices, enter AAA.USER.IS_MEMBER_OF(“FileExists”).NOT.

5. Configure the Broker Access policy rules

   1. Install Citrix PowerShell SDK and connect to the cloud API as explained in the Citrix blog Getting started with PowerShell automation for Citrix Cloud.

   2. Run the command Get-BrokerAccessPolicyRule.

      A list of all the broker access policies for all the delivery groups which are present is displayed.

   3. Find the DesktopGroupUid for the delivery group that you want to change.

      

   4. Get the policies that are applied only to a particular delivery group, using the command: Get-BrokerAccessPolicyRule -DesktopGroupUid 7
   5. To filter users using trusted devices, create another Broker Access policy using the command: New-BrokerAccessPolicyRule -Name CAP_Desktops_AG_Trusted-DesktopGroupUid 7 - AllowedConnections ViaAG -AllowedProtocols HDX, RDP -AllowedUsers AnyAuthenticated - AllowRestart $true -Enabled $true-IncludedSmartAccessFilterEnabled $true

   6. To disable App Protection for trusted devices and enable App Protection for untrusted devices, use the following command: Set-BrokerAccessPolicyRule CAP_Desktops_AG_trusted -IncludedSmartAccessTags Workspace:trusted -AppProtectionKeyLoggingRequired $false -AppProtectionScreenCaptureRequired $false

      Set-BrokerAccessPolicyRule CAP_Desktops_AG -IncludedSmartAccessTags Workspace:untrusted -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true

Verification

Log out of Citrix Workspace app and log back in. Launch the protected resource from a trusted device, one that meets the EPA scan condition. You see that the App Protection policies are not applied. Launch the same resource from an untrusted device. You see that App Protection policies are applied.