PoC Guide: App protection policies
This guide is designed to walk you through the technical prerequisites, use cases, and configuration of App protection policies for your Citrix Virtual Apps and Desktops or Citrix DaaS deployment. App protection is an add-on feature for Citrix Workspace app (CWA) that provides enhanced security when using Citrix published resources. Two policies provide anti-keylogging and anti screen capturing capabilities in a Citrix HDX session.
App protection policies feature requires specific versions of Citrix Workspace app, Citrix infrastructure components (for on-premises deployments), Virtual Delivery Agents (VDA), Operating System platforms, Citrix Licenses (for both Citrix Virtual Apps and Desktops and DaaS) and supports various endpoints Refer to the system requirements in product documentation for the most up to date requirements.
For this POC guide we will be using the latest Current Release (CR) version of Citrix Virtual Apps and Desktops. At the time of this document update this version was 2311.
Valid Citrix licenses are required:
- Citrix Virtual Apps and Desktops
- App protection add-on license
- For Citrix DaaS, the App Protection feature is included as a part of certain Citrix Cloud service packages and licenses are provided directly on Citrix Cloud.
The following server components are required only for on-premises deployments to use Citrix Web Studio. For Citrix DaaS deployments, skip to the Workspace Installation section.
- StoreFront 2103 or higher
- Delivery Controller 2103 or higher
Installation - Licensing
- Download the license file and import it into the Citrix License Server alongside an existing Citrix Virtual Desktops license
- Use the Citrix Licensing Manager to import the license file. For more information, see Install licenses
Installation - Delivery Controller
- On your Delivery Controller, restart your Broker Service to enable the App Protection feature license in your environment.
- Open Citrix Web Studio.
Select Settings, and turn on the Enable XML trust toggle.
Select Delivery Groups, select a delivery group, then click Edit.
- Click App Protection and then select Anti-keylogging and Anti-screen capturing checkboxes, then click Save.
Installation - Citrix Workspace app
Include the App Protection component using one of the following methods:
For Windows: Starting with Citrix Workspace app version 2212, the App Protection Component is installed by default during the Citrix Workspace app installation. For more information on installing the App Protetion feature with Citrix Workspace app versions prior to 2311, see here.
For macOS: App protection requires no specific installation or configuration on Citrix Workspace for Mac.
It is not possible to add App protection support to older clients. Uninstall old version of Citrix Receiver / Citrix Workspace app and install new version with App protection component.
For Linux: When you install the Citrix Workspace app using the tarball package, the following message appears: Do you want to install the App Protection component? Warning: You can’t disable this feature. To disable it, you must uninstall Citrix Workspace app. For more information, contact your system administrator. [default $INSTALLER_N]: Enter Y to install App Protection.
Restart your endpoint.
Testing - Citrix Workspace app for Windows
Following steps provides guidance for anti screen sharing testing only. To test anti-keylogging protection, we recommend consulting with your own security team.
Launch Citrix Workspace app and login
Click on a protected virtual app or virtual desktop (for example Admin Desktop) and launch the HDX session. If you don’t see protected resources, you are probably using web store or unsupported Citrix Receiver / Citrix Workspace app.
(Optional) If App protection is not installed, you get the following popup when trying to launch a protected virtual app or desktop. Click Yes
This option is not available with older versions of Citrix Receiver / Citrix Workspace app
Try to perform a screen capture and confirm you see a blank screen (expected behavior).
When testing anti-keylogging and anti screen capture protection, be aware of expected behavior:
- Anti-keylogging - This feature is active only when a protected window is in focus
- Anti screen capture - This feature is active when a protected window is visible (not minimized)
Another simple method to test the anti screen capture protection is to use one of the popular conference tools (GoToMeeting, Microsoft Teams, Zoom, or Slack). Screen sharing should not be possible when protection is enabled.