PoC Guide: App protection policies


This guide is designed to walk you through the technical prerequisites, use cases, and configuration of App protection policies for your on-premises Citrix Virtual Apps and Desktops deployment. App protection is an add-on feature for Citrix Workspace app (CWA) that provides enhanced security when using Citrix Virtual Apps and Desktops published resources. Two policies provide anti-keylogging and anti screen capturing capabilities in a Citrix HDX session.

System Requirements

App protection policies feature requires specific version of Citrix Workspace app and supports various endpoints. Special add-on license is required together with configuration changes on StoreFront and Delivery Controller servers. Refer to the system requirements in product documentation for the most up to date requirements.

For the current list of Citrix Workspace App and endpoint Operating Systems supported, please refer to System Requirements. Additionally, Citrix Ready provides third party endpoints that are supported by our partners.


Valid Citrix licenses are required:

  • Citrix Virtual Apps and Desktops
  • App protection add-on license
  • For Citrix DaaS, the App Protection feature is included as a part of certain Citrix Cloud service packages and licenses are provided directly on Citrix Cloud.

On-premises Citrix Virtual Apps and Desktops Infrastructure

The following server components are required only for on-premises deployments. For Citrix DaaS deployments, skip to the Workspace Installation section.

  • StoreFront 1912 or higher
  • Delivery Controller 1912 or higher

Installation - Delivery Controller


Following steps are only required for Citrix Virtual Apps and Desktops versions 1912, 2003 and 2006, app protection feature is automatically included in newer releases. Only required step on newer releases is to enable XML trust (first step).

  1. Enable XML Trust by running the following command:

    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

    Set XML trust

  2. After you purchase the app protection feature, download the FeatureTable.OnPrem.AppProtection.xml file from the Citrix Virtual Apps and Desktops 1912 or later download page.


    App Protection Policies XML file is located under Components


  3. Click on Download File and save it to local disk


  4. On any Delivery Controller, launch PowerShell and load the Citrix PowerShell snap-ins using cmdlet

    Add-PSSnapin Citrix*

    Import snap-in

  5. In PowerShell, navigate to folder where XML file has been downloaded
  6. Enable the App protection feature with the following command:

    Import-ConfigFeatureTable FeatureTable.OnPrem.AppProtection.xml

    Import feature table

  7. Verify that App Protection is enabled with the following command:

    Get-ConfigEnabledFeature | Select-String –Pattern "AppProtection"

    Get feature

Installation - Licensing

  1. Download the license file and import it into the Citrix License Server alongside an existing Citrix Virtual Desktops license
  2. Use the Citrix Licensing Manager to import the license file. For more information, see Install licenses

Installation - Citrix Workspace app

  1. Include the app protection component using one of the following methods:

    For Windows: During Citrix Workspace app installation (for Windows), select Enable app protection and then click Install to continue with the installation or use the command-line switch CitrixWorkspaceApp.exe /includeappprotection. For more information, see App protection section of Citrix Workspace app for Windows production documentation.

    Install feature

    For macOS: App protection requires no specific installation or configuration on Citrix Workspace for Mac.


    It is not possible to add App protection support to older clients. Uninstall old version of Citrix Receiver / Citrix Workspace app and install new version with App protection component.

  2. Click Finish


  3. Click Yes to restart your computer


Configuration - Delivery Group

Anti-keylogging and anti screen capture protection is configured on delivery group level using PowerShell. There are two properties on each delivery group that affects the behavior of app protection policies:

  • AppProtectionKeyLoggingRequired - can be $True (enabled) or $False (disabled)
  • AppProtectionScreenCaptureRequired - can be $True (enabled) or $False (disabled)
  1. On any Delivery Controller, launch PowerShell and load the Citrix PowerShell snap-ins using cmdlet

    Add-PSSnapin Citrix*

  2. To Enable App protection for the Admin Desktop delivery group, use the following command:

    Set-BrokerDesktopGroup -Name "Admin Desktop" -AppProtectionKeyLoggingRequired $True -AppProtectionScreenCaptureRequired $True

    Set property

  3. Validate the settings by running the following PowerShell command:

    Get-BrokerDesktopGroup -Property Name, AppProtectionKeyLoggingRequired, AppProtectionScreenCaptureRequired | Format-Table -AutoSize

    Get properties

Testing - Citrix Workspace app for Windows

Following steps provides guidance for anti screen sharing testing only. To test anti-keylogging protection, we recommend consulting with your own security team.

  1. Launch Citrix Workspace app and login

    Launch Workspace

  2. Click on a protected virtual app or virtual desktop (for example Admin Desktop) and launch the HDX session. If you don’t see protected resources, you are probably using web store or unsupported Citrix Receiver / Citrix Workspace app.

    Launch resource

  3. (Optional) If App protection is not installed, you get the following popup when trying to launch a protected virtual app or desktop. Click Yes

    Optional download


    This option is not available with older versions of Citrix Receiver / Citrix Workspace app

  4. Try to perform a screen capture

    Take screenshot

  5. Confirm that you see a blank screen (expected behavior)

    Blank screenshot

When testing anti-keylogging and anti screen capture protection, be aware of expected behavior:

  • Anti-keylogging - This feature is active only when a protected window is in focus
  • Anti screen capture - This feature is active when a protected window is visible (not minimized)

Another simple method to test the anti screen capture protection is to use one of the popular conference tools (GoToMeeting, Microsoft Teams, Zoom, or Slack). Screen sharing should not be possible when protection is enabled.


Product Documentation - Citrix Workspace app

Product Documentation - App protection

PoC Guide: App protection policies