Session watermark helps to deter and enable tracking of data theft. Traceable information appears on session desktops as a deterrent to users who employ photographs and screen captures to steal data. You can specify a watermark as a layer of text or a PNG image with alpha channel. The watermark displays over the entire session screen without changing the content of the original document.
Session watermark is not a security feature. It does not prevent data theft completely, but it provides some level of deterrent and traceability. We do not guarantee complete information traceability when using this feature. Instead, we recommend that you combine this feature with other security solutions as applicable.
The session watermark carries information for tracking data theft. The most important data is the identity of the user, as tracked by their logon credentials, of the session where the screen image was taken. To trace data leakage more effectively, include other information such as the server or client Internet protocol address and a connect time.
To adjust the user experience, use the following session watermark policy settings to configure the placement and watermark appearance on the screen:
Session watermark policy settings
When you enable this setting, the session display has an opaque watermark displaying session-specific information. The other watermark settings depend on this one being enabled.
By default, the session watermark is disabled.
When you enable this setting, the session displays the current client IP address as a watermark.
By default, Include client IP address is disabled.
When you enable this setting, the session watermark displays a connect time. The format is yyyy/mm/dd hh:mm. The time displayed is based on the system clock and time zone.
By default, Include connection time is disabled.
When you enable this setting, the session displays the current logon user name as a watermark. The display format is USERNAME@DOMAINNAME. We recommend that the user name is a maximum of 20 characters. When a user name is longer than 20 characters, smaller font sizes or truncation might occur, which lessens the effectiveness of the watermark.
By default, Include logon user name is enabled.
When you enable this setting, the session displays the VDA host name of the current ICA session as a watermark.
By default, Include VDA host name is enabled.
When you enable this setting, the session displays the VDA IP address of the current ICA session as a watermark.
By default, Include VDA IP address is disabled.
This setting controls whether you display a single watermark text label or multiple labels. Choose Multiple or Single from the Value drop-down menu. For additional style options, see the Watermark custom text section in this article.
Multiple displays five watermark labels in the session. One in the center and four in the corners.
Single displays a single watermark label in the center of the session.
By default, the Session watermark style is Multiple.
You can specify watermark opacity from 0 through 100. The larger the value specified, the more opaque the watermark.
By default, the value is 17.
The value is empty by default. You can type a non-empty string, set a syntax to form a string, or use the combination to display in the session watermark. Non-empty strings support up to 25 Unicode characters per line. Longer strings are truncated to 25 characters.
For example, you can set the policy to the following value:
<date> <time><newline><username><style=single><fontsize=40><font=Ubuntu><position=center><rotation=0><newline><serverip><newline><clientip><newline>Citrix Linux VDA<newline>Version 2207
For a description of all syntax options, see the following table:
|Syntax option||Description||Valid setting (case-sensitive)||Default value||Remarks|
||Watermark layout style||
||Valid only when the layout style is set to single.|
||Watermark rotation to a certain angle||-180–180||0||-|
||-||A system supported font||Sans||-|
||-||20–50||0 (auto calculated)||-|
||Percentage of the font and image sizes you set through
||PNG watermark||Path to a PNG image on the VDA||N/A||This syntax configures a PNG watermark. Only PNG with an alpha channel is supported. With a PNG watermark in use, only the
||Placeholder for the session connection date (YYYY/MM/DD)||N/A||N/A||-|
||Placeholder for the session connection time (HH:MM)||N/A||N/A||-|
||Placeholder for the user account domain||N/A||N/A||-|
||Placeholder for the current logon user name (excluding the user account domain)||N/A||N/A||-|
||Placeholder for the host name of the VDA||N/A||N/A||-|
||Placeholder for the IP address of the client||N/A||N/A||-|
||Placeholder for the IP address of the VDA||N/A||N/A||-|
If Watermark custom text is specified with a valid syntax setting, all other session watermark policies - except Enable session watermark - are ignored.
If you leave a syntax option unspecified or set it to an unsupported value, their default value is used.
- Session watermark is supported in either of the following cases:
- When Use video codec for compression is set to For the entire screen.
- When Use video codec for compression is set to Use when preferred and Optimize for 3D graphics workload is enabled.
- Session watermark is not supported in sessions where browser content redirection is used. To use the session watermark feature, ensure that browser content redirection is disabled.
- Session watermark is not supported and does not appear if the session is running in full-screen hardware accelerated H.264 or H.265 encoding mode with legacy NVIDIA drivers. (In this case, NvCaptureType is set to 2 in the registry.)
- Watermark is not visible for session shadowing.
- If you press the Print Screen key to capture a screen, the screen captured at the VDA side does not include the watermark. We recommend that you take measures to avoid screen captures being copied.