Product Documentation

Prevent user access to the local desktop

May 09, 2015

Use the Desktop Lock when users do not need to interact with the local desktop. In this access scenario, the virtual desktop effectively replaces the local one, allowing the user to interact with the virtual desktop as if it were local.

The Desktop Lock is a separate component that is released with XenApp, XenDesktop, and Citrix VDI-in-a-Box. It is an alternative to the Desktop Viewer and is designed mainly for repurposed Windows computers and Windows thin clients. The Desktop Lock employs a replacement Windows shell, in which no Start menu is displayed, to prevent users from accessing the local operating system. A replacement for Windows Task Manager is also used.

With the Desktop Lock, users can access desktops from Server OS and Desktop OS Delivery Groups.

System requirements for Desktop Lock

Use the Desktop Lock when users do not need to interact with the local desktop. In this access scenario, the virtual desktop effectively replaces the local one, allowing the user to interact with the virtual desktop as if it were local.

The Desktop Lock is a separate component that is released with XenApp, XenDesktop, and Citrix VDI-in-a-Box. It is an alternative to the Desktop Viewer and is designed mainly for repurposed Windows computers and Windows thin clients. The Desktop Lock employs a replacement Windows shell, in which no Start menu is displayed, to prevent users from accessing the local operating system. A replacement for Windows Task Manager is also used.

With the Desktop Lock, users can access desktops from Server OS and Desktop OS Delivery Groups.

Operating system

The Desktop Lock is supported on the following user device operating systems. Editions or service packs are listed only where support is limited:

  • Windows 7, 32-bit and 64-bit editions (including Embedded Edition)
  • Windows XP Professional, 32-bit and 64-bit editions
  • Windows XP Embedded
  • Windows Vista, 32-bit and 64-bit editions
Note: Support for Windows XP ends April 8, 2014 when Microsoft ends extended support for Windows XP. Support for Windows XP Embedded will continue.

Receiver

Citrix Receiver for Windows Enterprise 3.4 package

Environment

User devices running the Desktop Lock are supported only if they are connected to a local area network (LAN).

Domain-joined and Non-domain-joined installations

You can install the Desktop Lock on domain-joined or non-domain-joined user devices. The system behavior and user experience on the different device types are slightly different.

In domain-joined installations, the Windows user device is joined to an Active Directory domain. In these installations:

  • User devices access StoreFront stores through XenApp Services URLs. VDI-in-a-Box can also be used.
  • Program Neighborhood Agent replaces the Windows Explorer shell, and launches the first alphabetically listed, available desktop in an assigned Desktop Group.
  • The Desktop Lock replacement shell does not override the administrator's shell.
  • Windows Task Manager is replaced with a version that lets the user restart their virtual desktop or that passes the Ctrl+Alt+Delete keyboard combination to the desktop session.
  • On Windows XP user devices, the Ctrl+Alt+Delete keyboard combination summons the replacement Task Manager.
  • The user device mimics the reason for a disconnected or terminated session. For example, if the user shuts down the virtual desktop (causing a session to end), the device also shuts down.

Non-domain-joined installations are primarily used by vendors of Windows terminals that are not joined to an Active Directory domain. In these installations:

  • User devices access StoreFront stores through Desktop Appliance sites.
  • User devices are configured to log on the user automatically, and to launch Internet Explorer in Kiosk Mode. The domain logon page is not displayed.
  • The only access point is the Desktop Appliance site, which launches the first alphabetically listed, available desktop in an assigned Delivery Group.
  • A version of Windows Task Manager passes the Ctrl+Alt+Delete keyboard combination to the desktop session.

Support for multiple monitors

The Desktop Lock supports up to eight monitors. A virtual desktop is displayed across all monitors. The primary monitor on the device becomes the primary monitor in the virtual desktop session.

Keyboard input in Desktop Lock sessions

In Desktop Lock sessions, the Windows logo key+L key combination is directed to the local computer. In most cases, Ctrl+Alt+Delete is directed to the local computer. Shift+F2 cannot be used to switch a full-screen desktop session to windowed mode. However, this key combination can be used in any application sessions within the desktop session.

Ctrl+Esc and Alt+Tab are sent to the remote, virtual desktop.

Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibility features) are normally directed to the local computer.
Note: The Desktop Lock treats some Windows key combinations differently from the Desktop Viewer. Information on the Desktop Viewer is included in the Receiver documentation.

Install or remove the Desktop Lock

To install the Desktop Lock

This procedure installs the Receiver for Windows plug-in so that virtual desktops are displayed using the Desktop Lock. Do not use this procedure if you want the Desktop Viewer, which is included in Receiver, to be available to users.

When you install the Desktop Lock, the system uses a replacement shell. To allow administration of the user device after you complete the installation, the account used to install CitrixDesktopLock.msi is excluded from the shell replacement. If the account used to install CitrixDesktopLock.msi is later deleted, you will not be able to log on and administer the device.

Citrix does not recommend the use of custom shells because they might interfere with the replacement shell that is used for Desktop Lock sessions.

Users must use domain accounts to access desktops with the Desktop Lock. They cannot use local accounts.

  1. Log on to the computer as a local administrator.
  2. At a command prompt, run CitrixReceiverEnterprise.exe using the following syntax. This file is located in the folder called Citrix Receiver and Plug-ins\Windows\Receiver on the installation media:
    CitrixReceiverEnterprise.exe ADDLOCAL="ReceiverInside,ICA_Client,SSON,USB,DesktopViewer, 
    Flash,PN_Agent,Vd3d" SERVER_LOCATION="my.server" ENABLE_SSON="Yes"

    For information about the properties used in this command, see the topic Configure and install Receiver for Windows using command-line parameters in the Receiver for Windows documentation.

  3. Enter the URL of the Services site where your virtual desktops are located. The URL must be in the format http://servername or https://servername. If you are using hardware or software for load balancing or failover, you can enter a load-balanced address.
    Important: Ensure that the URL you enter is correct. If the URL is incorrectly typed, or you leave the field empty and the user does not enter a valid URL when prompted after installation, no virtual desktop or local desktop will be available.
  4. On the installation media, navigate to the Citrix Receiver and Plug-ins\Windows\Receiver folder and double-click CitrixDesktopLock.msi. The Citrix Desktop Lock wizard appears.
  5. Read and accept the Citrix license agreement and click Install. The Installation Progress page appears.
  6. In the Installation Completed dialog box, click Close.
  7. When prompted, restart the user device. If you have been granted access to a desktop and you log on as a domain user, the restarted device is displayed using the Desktop Lock.

Remove the Desktop Lock

  1. Log on with the same local administrator credentials that were used to install the Desktop Lock.
  2. Run the Add/Remove programs utility from the Control Panel.
  3. Remove Citrix Desktop Lock.
  4. Remove Citrix Receiver or Citrix Receiver (Enterprise).

Configure the Desktop Lock

Important: Use an administrator account to configure the Desktop Lock. This must be the same account that you used for the installation.
To configure the Desktop Lock using Group Policy, load the following .adm files under Computer Configuration or User Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components:
  • icaclient.adm: To obtain this file, see To enable smart card usage.
  • icaclient_usb.adm: This file is located in the following directory: %SystemDrive%:\Program Files\Citrix\ICA Client\Configuration\en.

Considerations when configuring the Desktop Lock

Grant access to only one virtual desktop running the Desktop Lock per user.

Do not allow users to hibernate virtual desktops. Use Active Directory policies to prevent this.

To configure USB preferences

When a user plugs in a USB device, that device is automatically remoted to the virtual desktop. No user interaction is required. The virtual desktop is responsible for controlling the USB device and displaying it in the user interface.
  1. Turn on USB support in XenApp or XenDesktop deployments by enabling the USB policy rule. For more information, see USB Devices policy settings.
  2. In Citrix Receiver > Remoting client devices > Generic USB Remoting, enable and configure the Existing USB Devices, New USB Devices, and USB Devices List In Desktop Viewer policies. You can use the Show All Devices policy to display all connected USB devices, including those using the Generic USB virtual channel (for example, webcams and memory sticks).

To configure drive mapping

In Citrix Receiver > Remoting client devices, enable and configure the Client drive mapping policy.

To configure a microphone

In Citrix Receiver > Remoting client devices, enable and configure the Client microphone policy.

Configure smart cards for use with devices running Desktop Lock

Updated: 2015-03-05

This provides an overview of how to prepare Citrix StoreFront, Citrix Desktop Lock, and Desktop Appliances to work with smart cards.

These instruction apply to the version of Desktop Lock included with Citrix Receiver for Windows Enterprise 3.4. To configure the version of Desktop Lock included with Citrix 4.2, see the instructions in Receiver Desktop Lock.

  1. Configure StoreFront. See Install and set up StoreFront for details.
    1. Configure the XML Service to use DNS Address Resolution for Kerberos support.
    2. Configure StoreFront sites for HTTPS access, create a server certificate signed by your domain certificate authority, and add HTTPS binding to the default website.
    3. Ensure Pass-through with smart card is enabled. This is enabled by default.
    4. Enable Kerberos.
    5. Enable Kerberos and Pass-through with smart card.
    6. Enable Anonymous access on the IIS Default Web Site and use Integrated Windows Authentication.
    7. Ensure the IIS Default Web Site does not require SSL and ignores client certificates.
    8. Enable XenApp Services support.
  2. Configure Local Computer Policies on the user device.
    1. Import the icaclient.adm template using the Group Policy Management Console. The template is available in %Program Files%\Citrix\ICA Client\Configuration\.
    2. Expand Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication.
    3. Enable Smart card authentication.
    4. Enable Local user name and password.
  3. Configure the user device before installing Desktop Lock.
    1. Add the URL for the Delivery Controller to the Windows Internet Explorer Trusted Sites list.
    2. Add the URL for the first desktop group to the Internet Explorer Trusted Sites list. Use the following format: desktop://desktop-20group-20name.
    3. Enable Internet Explorer to use automatic login for Trusted Sites.
  4. Configure the user device after installing Desktop Lock.
    1. Edit the registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PNAgent\ServerURL to point to the PNAgent config.xml of the Delivery Controller.
      Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

If Citrix Desktop Lock is installed on the user device, a consistent smart card removal policy is enforced. For example, if the Windows smart card removal policy is set to Force logoff for the desktop, the user must log off from the user device as well, regardless of the Windows smart card removal policy set on it. This ensures that the user device is not left in an inconsistent state. This behavior applies only to user devices with the Desktop Lock, not the Desktop Viewer.