App Protection Policies

Contributors

Author: Martin Zugec & Alvin Raagas

Overview

This guide is designed to walk you through the technical prerequisites, use cases, and configuration of App protection policies for your on-premises Citrix Virtual Apps and Desktops deployment. App protection is an add-on feature for Citrix Workspace app (CWA) that provides enhanced security when using Citrix Virtual Apps and Desktops published resources. Two policies provide anti-keylogging and anti screen capturing capabilities in a Citrix HDX session.

System Requirements

App protection policies feature requires specific version of Citrix Workspace app and supports Windows and macOS endpoints. Special add-on license is required together with configuration changes on StoreFront and Delivery Controller servers. You can read more about system requirements in product documentation.

Citrix Workspace app

Minimum versions:

  • Citrix Workspace app for Windows 1912 LTSR
  • Citrix Workspace app for Mac 2001+
  • Citrix Workspace app for Windows 2002+

Operating Systems Supported:

  • Windows 7, 8.1 and 10
  • macOS 10.13 (High Sierra) and newer

Server operating systems (for example Windows Server 2019) are not supported.

Note: These operating systems are supported where Citrix Workspace app is installed (typically endpoint). The VDA supports all operating systems, including server OS.

Licenses

Valid Citrix licenses are required:

  • Citrix Virtual Apps and Desktops
  • App protection add-on license

Infrastructure

Following server components are required:

  • StoreFront 1912 or higher
  • Delivery Controller 1912 or higher

Installation - Delivery Controller

  1. After you purchase the app protection feature, download the FeatureTable.OnPrem.AppProtection.xml file from the Citrix Virtual Apps and Desktops 1912 or later download page

    Note: App Protection Policies XML file is located under Components

    Download

  2. Click on Download File and save it to local disk

    Download

  3. On any Delivery Controller, launch PowerShell and load the Citrix PowerShell snap-ins using cmdlet

    Add-PSSnapin Citrix*

    Import snap-in

  4. In PowerShell, navigate to folder where XML file has been downloaded
  5. Enable the App protection feature with the following command:

    Import-ConfigFeatureTable FeatureTable.OnPrem.AppProtection.xml

    Import feature table

  6. Verify that App Protection is enabled with the following command:

    Get-ConfigEnabledFeature | Select-String –Pattern "AppProtection"

    Get feature

  7. Enable XML Trust by running the following command:

    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

    Set XML trust

Installation - Licensing

  1. Download the license file and import it into the Citrix License Server alongside an existing Citrix Virtual Desktops license
  2. Use the Citrix Licensing Manager to import the license file. For more information, see Install licenses

Installation - Citrix Workspace app

  1. Include the app protection component using one of the following methods:

    For Windows: During Citrix Workspace app installation (for Windows), select Enable app protection and then click Install to continue with the installation or use the command-line switch CitrixWorkspaceApp.exe /includeappprotection. For more information, see App protection section of Citrix Workspace app for Windows production documentation.

    Install feature

    For macOS: App protection requires no specific installation or configuration on Citrix Workspace for Mac.

    Note: It is not possible to add App protection support to older clients. Uninstall old version of Citrix Receiver / Citrix Workspace app and install new version with App protection component.

  2. Click Finish

    Finish

  3. Click Yes to restart your computer

    Restart

Configuration - Delivery Group

Anti-keylogging and anti screen capture protection is configured on delivery group level using PowerShell. There are two properties on each delivery group that affects the behavior of app protection policies:

  • AppProtectionKeyLoggingRequired - can be $True (enabled) or $False (disabled)
  • AppProtectionScreenCaptureRequired - can be $True (enabled) or $False (disabled)
  1. On any Delivery Controller, launch PowerShell and load the Citrix PowerShell snap-ins using cmdlet

    Add-PSSnapin Citrix*

  2. To Enable App protection for the Admin Desktop delivery group, use the following command:

    Set-BrokerDesktopGroup -Name "Admin Desktop" -AppProtectionKeyLoggingRequired $True -AppProtectionScreenCaptureRequired $True

    Set property

  3. Validate the settings by running the following PowerShell command:

    Get-BrokerDesktopGroup -Property Name, AppProtectionKeyLoggingRequired, AppProtectionScreenCaptureRequired | Format-Table -AutoSize

    Get properties

Testing - Citrix Workspace app for Windows

Following steps provides guidance for anti screen sharing testing only. To test anti-keylogging protection, we recommend consulting with your own security team.

  1. Launch Citrix Workspace app and login

    Launch Workspace

  2. Click on a protected virtual app or virtual desktop (for example Admin Desktop) and launch the HDX session. If you don’t see protected resources, you are probably using web store or unsupported Citrix Receiver / Citrix Workspace app.

    Launch resource

  3. (Optional) If App protection is not installed, you get the following popup when trying to launch a protected virtual app or desktop. Click Yes

    Optional download

    Note: This option is not available with older versions of Citrix Receiver / Citrix Workspace app

  4. Try to perform a screen capture

    Take screenshot

  5. Confirm that you see a blank screen (expected behavior)

    Blank screenshot

When testing anti-keylogging and anti screen capture protection, be aware of expected behavior:

  • Anti-keylogging - This feature is active only when a protected window is in focus
  • Anti screen capture - This feature is active when a protected window is visible (not minimized)

Another simple method to test the anti screen capture protection is to use one of the popular conference tools (GoToMeeting, Microsoft Teams, Zoom, or Slack). Screen sharing should not be possible when protection is enabled.

References

Product Documentation - Citrix Workspace app

Product Documentation - App protection