App Protection features

This article highlights the App Protection features supported by Citrix Workspace app for Windows, Citrix Workspace app for Linux, and Citrix Workspace app for Mac.

Anti-keylogging

With encryption, App Protection’s anti-keylogging capabilities scramble the text the user is typing for both physical and on-screen keyboards. The anti-keylogging feature encrypts the text before any keylogging tool can access it from the kernel or OS level. A keylogger installed on the client endpoint reading the data from the OS or driver captures the hashed text instead of the keystrokes that the user is typing. App Protection policies are active not only for published applications and desktops, but for Citrix Workspace authentication dialogs as well. Your Citrix Workspace is protected from the moment when your users open the first authentication dialog. App Protection scrambles keystrokes, returning indecipherable text to key loggers.

The admins can choose to enable anti-keylogging for the following types resources:

  • Virtual Apps and Desktops
  • Internal web and SaaS apps
  • Authentication screens
  • Self-Service plug-in (SSP) screens

Anti-screen capture

Anti-screen capture prevents an app from trying to take a screenshot or recording the screen within a virtual app or desktop session. The screen capture software can’t detect content within the capture region. The area selected by the app grays out, or the app captures nothing instead of the screen section that it expects to copy. The anti-screen capture feature applies to snip and sketch, Snipping Tool, and Shift+Ctrl+Print Screen on Windows.

Another use case for anti-screen capture is preventing sharing of sensitive data in a virtual meeting or web conferencing applications like GoToMeeting, Microsoft Teams, or Zoom. App Protection prevents unintended sharing by returning a blank screen in web conferences when apps are protected. This feature makes sure that the sensitive data isn’t accidentally leaked from the organization. This feature can help with compliance in regulated industries, as the intention is not considered when disclosing a data breach.

The admins can choose to enable anti-screen capture for the following types resources:

  • Virtual Apps and Desktops
  • Internal web and SaaS apps
  • Authentication screens
  • Self-Service plug-in (SSP) screens

Note:

If you have launched two virtual desktops where one virtual desktop is enabled with the Anti-screen capture feature and the other virtual desktop isn’t enabled with the Anti-screen capture feature, then the Anti-screen capture feature is applicable for both the virtual desktops. You can’t take the screenshot of either virtual desktops.

In case if you have minimized the virtual desktop that is enabled with Anti-screen capture, the Anti-screen capture feature is still applicable for the virtual desktop without the Anti-screen capture feature.

Screen capture detection and notification

For Citrix Workspace app, you can view a notification when a possible attempt of screen capture is made on any protected resources. For information on the resources protected by App Protection, see What does App Protection protect?

The notification appears when there is an:

  • attempt to take a screenshot or record video through a screen-capturing tool.
  • attempt to take a screenshot through the Print Screen key.

Note:

  • The notification appears only once per running instance of the screen capture tool. The notification appears again if you relaunch the tool and try to capture the screen.
  • On Citrix Workspace app for Windows 2212 and later, sign-in windows and Self-Service (Store) windows are not protected by default.

Anti-DLL Injection

The Anti-DLL Injection security enhancement helps protect the Citrix Workspace app from certain unauthorized dynamic-link libraries (DLL) or untrusted modules. If such untrusted modules are injected, the Citrix Workspace app detects these interventions and stops the modules from loading. Also, if any untrusted or malicious DLL is detected before the session launch, App Protection blocks the session launch and displays an error message. Closing the error message exits the virtual app and desktop session.

This feature is applicable for all protected virtual apps and desktops and the Citrix Workspace app authentication window (on-premises deployment/StoreFront).

This enhancement exits the session immediately when certain untrusted or malicious DLLs exist on the protected component.

Failure launch

The enhancement displays a notification when an untrusted or malicious DLL is blocked. Closing the message exits the virtual app and desktop session.

Suspicious alert

Disclaimer: This capability works by filtering access to required functions of the underlying operating system (specific API calls required to load DLLs). Doing so means that it can provide protection even against certain custom and purpose-built hacker tools. However, as operating systems evolve, new ways of loading DLLs can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

This feature support Citrix Workspace app for Windows version 2206 and later.

Note:

Previously, anti-screen capture and anti-keylogging capabilities were enforced by default for Citrix authentication and Citrix Workspace app screens. However, starting from 2212, these capabilities are disabled by default and need to be configured using the Group Policy Object. For information on the GPO configuration, see Enhancement to App Protection configuration.

Compatibility with HDX optimization for Microsoft Teams

Optimized Microsoft Teams supports screen sharing when Citrix Workspace app is enabled with App Protection in the Desktop Viewer mode only. When you click Share content in Microsoft Teams, the screen picker provides the following options:

  • Window option to share any open app - This option is displayed only if the VDA version is 2109 or later.
  • Desktop option to share the contents on your VDA desktop - This option is displayed only for the following versions of Citrix Workspace app:
    • Citrix Workspace app for Linux version 2311 or later
    • Citrix Workspace app for Mac version 2308 or later
    • Citrix Workspace app for Windows version 2309 or later

Note:

For Citrix Workspace app for Linux, the Desktop share option is disabled by default. To enable it, add the UseGbufferScreenSharing parameter in your config.json file as follows:

mkdir -p /var/.config/citrix/hdx_rtc_engine
vim /var/.config/citrix/hdx_rtc_engine/config.json
{
      "UseGbufferScreenSharing":1
}
<!--NeedCopy-->

Optimized Microsoft Teams enabled with App Protection also supports the Citrix virtual monitor layout which allows you to share each virtual monitor individually.

Limitation:

  • Optimized Microsoft Teams enabled with App Protection doesn’t support screen sharing on Published Desktops enabled with Local App Access (LAA).
  • Client-rendered content such as Browser content using BCR cannot be captured or shared. If you try to screen capture, it is displayed as a black screen.

Note:

For Citrix Workspace app for Linux and Citrix Workspace app for Mac, this feature is in Technical Preview.

Local App Protection (Preview)

App Protection offers enhanced security to defend customers against keyloggers, and accidental and malicious screen capture at endpoints. Currently App Protection capabilities are only offered for Workspace resources. With this feature, App Protection capabilities are extended to local apps on endpoints. Starting with Citrix Workspace app 2210 for Windows, App Protection can be applied to local apps on Windows devices.

Register for the Preview of this feature using the Podio form.

Policy Tampering Detection

Policy Tampering Detection feature prevents the user from accessing the virtual app or desktop session if the App Protection anti-screen capture and anti-keylogging policies are tampered. If policy tampering is detected, then the virtual app or desktop session is terminated.

Note:

The policy Tampering Detection feature will be enabled by default in a future version.

To configure Policy Tampering Detection, see Configure Policy tampering detection.

Posture Check

To detect and block launching virtual apps and desktops that are enabled with App Protection policies from Citrix Workspace app versions that do not support the Policy Tampering Detection feature, enable App Protection Posture Check.

Note:

If Posture Check is enabled and you are using the Citrix Workspace app version that does not support Posture Check, then the sessions enabled with App Protection policies are terminated.

To configure Posture Check, see Configure Posture Check.

Limitation:

Posture Check stops working intermittently when you are using Windows Workstation VDAs hosted on Microsoft Azure.

App Protection with DoubleHop scenario

App Protection features are not supported in a double hop scenario. Double hop means a Citrix Virtual Apps or Virtual Desktops session running within a Citrix Virtual Desktops session. You were allowed to launch virtual apps and desktops that are enabled with App Protection policies in a double hop scenario however the App Protection features were not applied.

Starting from the Citrix Workspace app for Windows 2309 version, a Windows Group Policy is introduced which allows you to block launching virtual apps and desktops enabled with App Protection policies in a double hop scenario. For more information about enabling the Block DoubleHop Launch setting, see Enable Block DoubleHop Launch setting.

Citrix Analytics Service for App Protection

When you use Citrix Virtual Apps and Desktops, user events corresponding to their activities and actions are generated. Citrix Analytics for Security has a feature named Self-service search that records those user events and provides you the insights about them. Self-service search enables you to find, filter, and explore those user events so that you can understand what user event is done and act depending on the severity of the event. For more information about Self-service search, see Self-service search.

Self-service search for Apps and Desktops has an event type AppProtection.ScreenCapture that allows you to determine if any attempts are made to take screenshots of the virtual apps or desktops that are enabled with App Protection policies. For more information about how to search for a user event, see Specify search query to filter events.

This service provides the following information:

  • Device ID
  • Protected App Titles
  • OS Extra Info
  • Screen Capture Tool Name
  • Screen Capture Tool Path

Anti-screen capture in CAS

App Protection features