Access assurance location dashboard
With an increase in remote working, as a Citrix IT administrator, you might want to get an assurance that your users are accessing Citrix Virtual Apps and Desktops or Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) from their usual and safe locations. If any users have logged on from unknown locations or new locations, you can validate their logon details and take necessary actions to mitigate any threats to your Citrix IT environment.
The Access Assurance Location dashboard provides an overview of the locations from where your users are accessing virtual apps or virtual desktops. Citrix Analytics for Security receives these user logon events from Citrix Workspace app installed on the users’ devices. The location information is provided at the city and the country level and does not represent a precise geolocation.
View the dashboard
To view the dashboard, click Security > Access Assurance. Select the time period for which you want to view the location details.
Analyze the user logon summary
The User Logon Summary page provides the following information for a selected period:
Total number of user logons across the locations (world wide).
Total number of unique user logons across the locations (world wide).
Total number of countries from where the users have logged on.
Total number of countries and the unique user logons in the geofencing areas. To view the logon details from the geofencing areas, enable geofencing.
Top 10 locations with unique user logons. Sometimes the top unique user logons are also from unknown cities and countries and these are listed under the Unknown Locations tab. The list of unknown locations is also a subset of the top 10 locations. To find the reasons why some locations are unidentified, see Locations identified as not available.
You can also view the upward or downward trend of the total user logons world wide and the total unique user logons world wide. For the top 10 locations, the DEVIATION column shows the change (positive (+) or negative (-)) in the user logons for each location. This comparison is based on the selected time period and the previous time period of equal length. For example, if you select the time period Last 1 Month, the user logon trend and the deviation are compared between the last 1 month and the previous to last 1 month.
The map displays the number of unique users from various locations for a selected period. Hover over the blue bubble or zoom in to a location to view the total number of unique user logons from the location. Click the blue bubble to view the access details for a location.
On the bottom right corner of the map, you can view the range of the unique user logons. For a selected period, the small bubble indicates the minimum number of the unique user logons across the locations. The large bubble indicates the maximum number of the unique user logons across the locations.
View access profiles of the users
The Access Profile page provides the summary of your users’ accesses to virtual apps or virtual desktops from the selected locations. It provides the trend analysis of the total and unique user logons for the selected period. You can view the top access events for the selected locations. This information helps you to review the access patterns and the details for threat investigation and analysis.
The upward or downward trend for the total user logons and the unique user logons is compared based on the selected time period and previous time period of equal length. For example, if you select the time period as Last 1 Month, the trend is compared between last 1 month and previous to last 1 month.
You can use the following facets for the access events:
Location- Filter the access events by countries and their cities.
OS- Filter the access events by the operating systems and their versions.
You might also see the not available label if data is either unavailable or unidentified.
Based on the applied filters, view the following information for total user logons and unique user logons:
Timeline details- The chronological sequence of total user logon events and unique user logon events for a selected period. It helps you to compare and understand the past and ongoing event patterns.
Locations details- The top countries and cities from which the users have logged on to virtual apps or virtual desktops.
Network IPs- The top subnets and the IP addresses from which the users have logged on to virtual apps or virtual desktops.
View logons details of users
The User Logons page provides the details of the user logons to virtual apps or virtual desktops from the selected locations. This information helps you during threat investigation and analysis.
The DATA table displays the following logon details for the selected locations and the time period:
Time. The date and time when the user logged on.
User name. The identity of the user.
Client IP. The IP address of the user device.
Client IP Type. The type of IP address of the user such as public or private.
City and country. The locations from where the user has logged on to virtual apps or virtual desktops.
Device ID. The identity code of the user device.
OS name. The operating system on the user device. For more information, see Self-service search for Apps and Desktops.
OS version. The version of the operating system on the user device. For more information, see Self-service search for Apps and Desktops.
OS extra information- Any additional information of the operating system such as build numbers, service packs, and patches. For more information, see Self-service search for Apps and Desktops.
Workspace app version. The build version of Citrix Workspace app or Citrix Receiver.
On the DATA table, you can do the following operations:
Click Add or Remove Columns to update the table columns based on how you want to view the data.
Click Sort By and select the data elements to perform a multi-column sort. For more information, see Multi-column sorting.
Click Export to CSV format to download the data shown on the DATA table to a CSV file and use it for your analysis.
You can also use the search bar to define your query using the dimensions associated with a logon event.
User = “test user” AND Client-IP = “10.xx.xx.xx AND Client-IP-Type = public”
User = “firstname.lastname@example.org” AND OS-Major-Version = “macOS 10.13” AND OS-Minor-Version = 6
You can use the following facets for the logon events:
Locations- Filter the logon events by countries and their cities.
OS- Filter the logon events by operating system and their versions.
Client IP type- Filter the access events by the public and the private IP types.
You might also see the not available label if data is either unavailable or unidentified.
Locations identified as not available
On the Top 10 Unique Logon Locations table, you might see that some locations are unknown or unavailable. Click an unknown location to view the corresponding user logon details on the User Logons page.
On the User Logons page, the DATA table displays the NA label if any country or city information is unavailable.
Hover over the NA label to view the reason why the location information is unavailable.
You might see one of the following scenarios for the unavailability of a location:
|The city name and the country name are not available.||One of the following:|
|1. The users are using an unsupported version of Citrix Workspace app. To view the location information, update the client to a supported version.|
|2. The user’s network public IP address is unavailable and therefore Citrix Analytics cannot find the location.|
|3. The external geo-location service is unable to send the location information to Citrix Analytics.|
|Locations with private IPs||The user’s device is within a private network. In this case, the location information is unavailable to Citrix Analytics.|
|The country name is available but the city name is not available.||The user’s device might be using a corporate IP. The corporate IP ranges are obfuscated in the external geo-location service. Therefore, the location information is unavailable to Citrix Analytics.|
Supported client versions to get user’s location
If the location information is unavailable because of the unsupported Citrix Workspace app versions, then update the client to one of the following versions.
|Client name||Version||Build version|
|Citrix Workspace app for Windows||2008 or above||220.127.116.11 or above|
|Citrix Workspace app for Mac||2006 or above||20.06.0.7 or above|
|Citrix Workspace app for HTML5||2007 or above||18.104.22.16827 or above|
|Citrix Workspace app for iOS||Latest version available in Apple App Store||Latest version available in Apple App Store|
|Citrix Workspace app for Android||Latest version available in Google Play||Latest version available in Google Play|
|Citrix Workspace app for Chrome||Latest version available in Chrome Web Store||Latest version available in Chrome Web Store|
|Citrix Workspace app for Linux||2104 or above||Not available|
For specific lifecycle milestone dates for each release of Citrix Workspace app, see Lifecycle Milestones for Citrix Workspace app and Citrix Receiver. To download the latest version of Citrix Workspace app, visit the Citrix Downloads page.
Geofencing helps you to identify the users who access virtual apps or virtual desktops from outside your predefined areas (geofence).
To configure your geofence, click Add/Edit Geofence. Enable the Geofence Settings and select the countries.
This feature uses the preconfigured custom risk indicator- CVAD-Session started outside of geofence to monitor the user logons outside the geofence. If any user logons are detected outside the geofence, the risk indicator is triggered and the Session started outside of geofence policy is applied on those users. The policy triggers the Request End User Response action and based on the user’s response, you can take appropriate action to prevent threats from any suspicious logons. For more information, see preconfigured custom risk indicators.
In the Geofence Settings, when you modify the countries, the CVAD-Session started outside of geofence risk indicator also gets updated.
For example, if you select and save the countries Australia and India as the new geofenced countries, the preconfigured condition of the risk indicator gets updated with the new countries, in addition to the United States (which is the default geofence). You can also remove the default geofenced country United States.
Preconfigured condition of the risk indicator:
Event-Type = \"Session.logon\" AND Country != \"\" AND Country ~ \"\" AND Country != \"United States\"
After updating the Geofenced Settings, the condition of the risk indicator:
Event-Type = \"Session.logon\" AND Country != \"\" AND Country ~ \"\" AND Country NOT IN (\"Australia\", \"United States\", \"India\"
If the CVAD-Session started outside of geofence risk indicator is previously deleted from your account, enabling the Geofence Settings creates the risk indicator again. The geofenced countries of the risk indicator are controlled from the Geofence Settings.
After enabling the Geofence Settings, the map displays the geofenced areas and the unique user logons from these areas.