App Protection features

This article highlights the App Protection features supported by Citrix Workspace app for Windows, Citrix Workspace app for Linux, and Citrix Workspace app for Mac.

Anti-keylogging

With encryption, App Protection’s anti-keylogging capabilities scramble the text the user is typing for both physical and on-screen keyboards. The anti-keylogging feature encrypts the text before any keylogging tool can access it from the kernel or OS level. A keylogger installed on the client endpoint reading the data from the OS or driver captures the hashed text instead of the keystrokes that the user is typing. App Protection policies are active not only for published applications and desktops, but for Citrix Workspace authentication dialogs as well. Your Citrix Workspace is protected from the moment when your users open the first authentication dialog. App Protection scrambles keystrokes, returning indecipherable text to key loggers.

The admins can choose to enable anti-keylogging for the following types resources:

• Virtual Apps and Desktops
• Internal web and SaaS apps
• Authentication screens
• Self-Service plug-in (SSP) screens

Anti-screen capture

Anti-screen capture prevents an app from trying to take a screenshot or recording the screen within a virtual app or desktop session. The screen capture software can’t detect content within the capture region. The area selected by the app grays out, or the app captures nothing instead of the screen section that it expects to copy. The anti-screen capture feature applies to snip and sketch, Snipping Tool, and Shift+Ctrl+Print Screen on Windows.

Another use case for anti-screen capture is preventing sharing of sensitive data in a virtual meeting or web conferencing applications like GoToMeeting, Microsoft Teams, or Zoom. App Protection prevents unintended sharing by returning a blank screen in web conferences when apps are protected. This feature makes sure that the sensitive data isn’t accidentally leaked from the organization. This feature can help with compliance in regulated industries, as the intention is not considered when disclosing a data breach.

The admins can choose to enable anti-screen capture for the following types resources:

• Virtual Apps and Desktops
• Internal web and SaaS apps
• Authentication screens
• Self-Service plug-in (SSP) screens

Note:

If you have launched two virtual desktops where one virtual desktop is enabled with the Anti-screen capture feature and the other virtual desktop isn’t enabled with the Anti-screen capture feature, then the Anti-screen capture feature is applicable for both the virtual desktops. You can’t take the screenshot of either virtual desktops.

In case if you have minimized the virtual desktop that is enabled with Anti-screen capture, the Anti-screen capture feature is still applicable for the virtual desktop without the Anti-screen capture feature.

Screen capture detection and notification

For Citrix Workspace app, you can view a notification when a possible attempt of screen capture is made on any protected resources. For information on the resources protected by App Protection, see What does App Protection protect?

The notification appears when there is an:

• attempt to take a screenshot or record video through a screen-capturing tool.
• attempt to take a screenshot through the Print Screen key.

Note:

• The notification appears only once per running instance of the screen capture tool. The notification appears again if you relaunch the tool and try to capture the screen.
• On Citrix Workspace app for Windows 2212 and later, sign-in windows and Self-Service (Store) windows are not protected by default.

Anti-DLL Injection

The Anti-DLL Injection security enhancement helps protect the Citrix Workspace app from certain unauthorized dynamic-link libraries (DLL) or untrusted modules. If such untrusted modules are injected, the Citrix Workspace app detects these interventions and stops the modules from loading. Also, if any untrusted or malicious DLL is detected before the session launch, App Protection blocks the session launch and displays an error message. Closing the error message exits the virtual app and desktop session.

This feature is applicable for all protected virtual apps and desktops and the Citrix Workspace app authentication window (on-premises deployment/StoreFront).

This enhancement exits the session immediately when certain untrusted or malicious DLLs exist on the protected component.

The enhancement displays a notification when an untrusted or malicious DLL is blocked. Closing the message exits the virtual app and desktop session.

Disclaimer: This capability works by filtering access to required functions of the underlying operating system (specific API calls required to load DLLs). Doing so means that it can provide protection even against certain custom and purpose-built hacker tools. However, as operating systems evolve, new ways of loading DLLs can emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

This feature support Citrix Workspace app for Windows version 2206 and later.

Note:

Previously, anti-screen capture and anti-keylogging capabilities were enforced by default for Citrix authentication and Citrix Workspace app screens. However, starting from 2212, these capabilities are disabled by default and need to be configured using the Group Policy Object. For information on the GPO configuration, see Enhancement to App Protection configuration.

Compatibility with HDX optimization for Microsoft Teams

Optimized Microsoft Teams supports screen sharing when Citrix Workspace app is enabled with App Protection in the Desktop Viewer mode only. When you click Share content in Microsoft Teams, the screen picker provides the following options:

• Window option to share any open app - This option is displayed only if the VDA version is 2109 or later.
• Desktop option to share the contents on your VDA desktop - This option is displayed only for the following versions of Citrix Workspace app:
  • Citrix Workspace app for Linux version 2311 or later
  • Citrix Workspace app for Mac version 2308 or later
  • Citrix Workspace app for Windows version 2309 or later

Note:

For Citrix Workspace app for Linux, the Desktop share option is disabled by default. To enable it, add the UseGbufferScreenSharing parameter in your config.json file as follows:

mkdir -p /var/.config/citrix/hdx_rtc_engine
vim /var/.config/citrix/hdx_rtc_engine/config.json
{
      "UseGbufferScreenSharing":1
}
<!--NeedCopy-->

Optimized Microsoft Teams enabled with App Protection also supports the Citrix virtual monitor layout which allows you to share each virtual monitor individually.

Limitation:

• Optimized Microsoft Teams enabled with App Protection doesn’t support screen sharing on Published Desktops enabled with Local App Access (LAA).
• Client-rendered content such as Browser content using BCR cannot be captured or shared. If you try to screen capture, it is displayed as a black screen.

Note:

For Citrix Workspace app for Linux, this feature is in Technical Preview.

Local App Protection (Preview)

App Protection offers enhanced security to defend customers against keyloggers, and accidental and malicious screen capture at endpoints. Currently App Protection capabilities are only offered for Workspace resources. With this feature, App Protection capabilities are extended to local apps on endpoints. Starting with Citrix Workspace app 2210 for Windows, App Protection can be applied to local apps on Windows devices.

Register for the Preview of this feature using the Podio form.

Policy Tampering Detection

Policy Tampering Detection feature prevents the user from accessing the virtual app or desktop session if the App Protection anti-screen capture and anti-keylogging policies are tampered. If policy tampering is detected, then the virtual app or desktop session is terminated.

Note:

The policy Tampering Detection feature will be enabled by default in a future version.

To configure Policy Tampering Detection, see Configure Policy tampering detection.

Posture Check

To detect and block launching virtual apps and desktops that are enabled with App Protection policies from Citrix Workspace app versions that do not support the Policy Tampering Detection feature, enable App Protection Posture Check.

Note:

If Posture Check is enabled and you are using the Citrix Workspace app version that does not support Posture Check, then the sessions enabled with App Protection policies are terminated.

To configure Posture Check, see Configure Posture Check.

Limitation:

Posture Check stops working intermittently when you are using Windows Workstation VDAs hosted on Microsoft Azure.

App Protection with DoubleHop scenario

App Protection features are not supported in a double hop scenario. Double hop means a Citrix Virtual Apps or Virtual Desktops session running within a Citrix Virtual Desktops session. You were allowed to launch virtual apps and desktops that are enabled with App Protection policies in a double hop scenario however the App Protection features were not applied.

Starting from the Citrix Workspace app for Windows 2309 version, a Windows Group Policy is introduced which allows you to block launching virtual apps and desktops enabled with App Protection policies in a double hop scenario. For more information about enabling the Block DoubleHop Launch setting, see Enable Block DoubleHop Launch setting.

Citrix Analytics Service for App Protection

When you use Citrix Virtual Apps and Desktops, user events corresponding to their activities and actions are generated. Citrix Analytics for Security has a feature named Self-service search that records those user events and provides you the insights about them. Self-service search enables you to find, filter, and explore those user events so that you can understand what user event is done and act depending on the severity of the event. For more information about Self-service search, see Self-service search.

Self-service search for Apps and Desktops has an event type AppProtection.ScreenCapture that allows you to determine if any attempts are made to take screenshots of the virtual apps or desktops that are enabled with App Protection policies. For more information about how to search for a user event, see Specify search query to filter events.

This service provides the following information:

• Device ID
• Protected App Titles
• OS Extra Info
• Screen Capture Tool Name
• Screen Capture Tool Path

Screen Capture Allow List

If Citrix Workspace app, virtual apps and desktops, or SaaS apps are enabled with the App Protection Anti-screen capture policy, then you can’t capture their screens using any screen-capturing tool.

However, starting from the Citrix Workspace app for Windows 2402 release, the Screen Capture Allow List feature enables you to add an app to the screen capture allow list. This feature enables you to use the allow listed app and capture the screen of the resource enabled with the App Protection Anti-screen capture policy. To add an app to the screen capture allow list, see Configure the Screen Capture Allow List.

Important:

It isn’t recommended to run an allow-listed app on your device for a longer period because it decreases the security posture. You can use the allow-listed apps for sharing your screen temporarily during scenarios such as troubleshooting. It is recommended to adhere to the following conditions:

• Run the allow-listed app for a short period along with the resource enabled with the App Protection Anti-screen capture feature.
• Terminate the allow-listed app immediately after the required task is completed.
• Add a watermark when sharing the screen while using the resource enabled with the App Protection Anti-screen capture feature for more security.

Process exclusion list

When you launch any process or application on your device, App Protection DLLs are injected into each process if the App Protection is enabled. Sometimes, this might cause the process or application not to work due to compatibility issues with the DLL.

Starting from the Citrix Workspace app for Windows 2402 release, you can add any process to the Process exclusion list to avoid the injection of the App Protection DLL into that particular process and recover from any compatibility issues caused by the presence of App Protection DLLs. To configure the Process exclusion list, see Configure Process exclusion list.

Important:

It’s not recommended to exclude processes as it decreases the security posture. You can use this to temporarily unblock the usage of the application and raise a support ticket for further investigation.

USB Filter Driver Exclusion List

Sometimes, when you’re using specialized external keyboards such as gaming keyboards with the Citrix Workspace app, the App Protection USB Filter Driver might cause compatibility issues and block you from using the keyboard.

Starting from the Citrix Workspace app for Windows 2402 release, the USB Filter Driver Exclusion List feature allows you to exclude any USB device that has compatibility issues with the Citrix Workspace app using the device Vendor ID and Product ID. To add any device to the USB Filter Driver Exclusion List, see Configure USB Filter Driver Exclusion List.

Note:

It isn’t recommended to exclude devices permanently. Use this feature to temporarily unblock the user from using the device and raise a support ticket to investigate the compatibility issue further.