App Protection features

This article highlights the App Protection features supported by Citrix Workspace app for Windows, Citrix Workspace app for Linux, and Citrix Workspace app for Mac.

Anti-keylogging

With encryption, App Protection’s anti-keylogging capabilities scramble the text the user is typing for both physical and on-screen keyboards. The anti-keylogging feature encrypts the text before any keylogging tool can access it from the kernel/OS level. A keylogger installed on the client endpoint, reading the data from the OS/driver, would capture hashed text instead of the keystrokes the user is typing. App protection policies are active not only for published applications and desktops, but for Citrix Workspace authentication dialogs as well. Your Citrix Workspace is protected from the moment when your users open the first authentication dialog. App Protection scrambles keystrokes, returning indecipherable text to key loggers.

The admins can choose to enable anti-keylogging for the following types resources:

• Virtual Apps and Desktops
• Internal web and SaaS apps
• Authentication screens
• Self-Service plug-in (SSP) screens

Anti-screen capture

Anti-screen capture prevents an app from attempting to take a screenshot of or a recording of the screen within a virtual app or desktop session. The screen capture software won’t be able to detect content within the capture region. The area selected by the app is grayed out, or the app captures nothing instead of the screen section that it expects to copy. The anti-screen capture feature applies to snip and sketch, Snipping Tool, and Shift+Ctrl+Print Screen on Windows.

Another use case for anti-screen capture is preventing sharing of sensitive data in a virtual meeting or web conferencing applications like GoToMeeting, Microsoft Teams, or Zoom. App Protection prevents unintended sharing by returning a blank screen in web conferences when apps are protected. This ensures that sensitive data is not accidentally leaked from the organization. This can help with compliance in regulated industries, as the intention is not considered when disclosing a data breach.

The admins can choose to enable anti-screen capture for the following types resources:

• Virtual Apps and Desktops
• Internal web and SaaS apps
• Authentication screens
• Self-Service plug-in (SSP) screens

Screen capture detection and notification

For Citrix Workspace app, you can view a notification when a possible attempt of screen capture is made on any protected resources. For information on the resources protected by App Protection, see What does App Protection protect?

The notification appears when there is an:

• attempt to take a screenshot or record video through a screen-capturing tool.
• attempt to take a screenshot through the Print Screen key.

Note:

• The notification appears only once per running instance of the screen capture tool. The notification appears again if you relaunch the tool and attempt screen capture.
• On Citrix Workspace app for Windows 2212 and later, sign-in windows and Self-Service (Store) windows are not protected by default.

Anti-DLL Injection

The Anti-DLL Injection security enhancement helps protect the Citrix Workspace app from certain unauthorized dynamic-link libraries (DLL) or untrusted modules. If such untrusted modules are injected, the Citrix Workspace app detects these interventions and stops the modules from loading. Also, if any untrusted or malicious DLL is detected before the session launch, App Protection blocks the session launch and displays an error message. Closing the error message exits the virtual app and desktop session.

This feature is applicable for all protected virtual apps and desktops and the Citrix Workspace app authentication window (on-premises deployment/StoreFront).

This enhancement exits the session immediately when certain untrusted or malicious DLLs exist on the protected component.

The enhancement displays a notification when an untrusted or malicious DLL is blocked. Closing the message exits the virtual app and desktop session.

Disclaimer: This capability works by filtering access to required functions of the underlying operating system (specific API calls required to load DLLs). Doing so means that it can provide protection even against certain custom and purpose-built hacker tools. However, as operating systems evolve, new ways of loading DLLs can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

This feature support Citrix Workspace app for Windows version 2206 and later.

Note:

Previously, anti-screen capture and anti-keylogging capabilities were enforced by default for Citrix authentication and Citrix Workspace app screens. However, starting from 2212, these capabilities are disabled by default and need to be configured using the Group Policy Object. For information on the GPO configuration, see Enhancement to App Protection configuration.

Compatibility with HDX optimization for Microsoft Teams

Microsoft Teams supports incoming video and screen sharing when Citrix Workspace app for Windows with App Protection enabled is on Desktop Viewer mode only. Published apps in seamless mode don’t render incoming video and screen sharing.

Full monitor or desktop sharing is disabled when App Protection is enabled for the delivery group. When you click Share content in Microsoft Teams, the screen picker removes the Desktop option. You can only select the Window option to share any open app, if the VDA is 2109 or higher. If you are connected to VDA older than 2019, no content is selectable.

Note:

This feature supports Citrix Workspace app for Mac version 2204.1 and later.

Local App Protection (Preview)

App Protection offers enhanced security to defend customers against keyloggers, and accidental and malicious screen capture at endpoints. Currently App Protection capabilities are only offered for Workspace resources. With this feature, App Protection capabilities are extended to local apps on endpoints. Starting with Citrix Workspace app 2210 for Windows, App Protection can be applied to local apps on Windows devices.

Register for the Preview of this feature using the Podio form.

Policy Tampering Detection

Policy Tampering Detection feature prevents the user from accessing the virtual app or desktop session if the App Protection anti-screen capture and anti-keylogging policies are tampered. If policy tampering is detected, then the virtual app or desktop session will be terminated.

Note:

Policy Tampering Detection feature will be enabled by default in a future release.

To configure Policy Tampering Detection, see Configure Policy tampering detection.

Posture Check

To detect and block launching virtual apps and desktops enabled with App Protection policies from Citrix Workspace app versions that do not support Policy Tampering Detection feature, enable App Protection Posture Check.

Note:

If Posture Check is enabled and you are using the Citrix Workspace app versions that do not support Posture Check, then the sessions enabled with App Protection policies will be terminated.

To configure Posture Check, see Configure Posture Check.