PoC Guide: App protection policies
Overview
This guide is designed to walk you through the technical prerequisites, use cases, and configuration of App protection policies for your on-premises Citrix Virtual Apps and Desktops deployment. App protection is an add-on feature for Citrix Workspace app (CWA) that provides enhanced security when using Citrix Virtual Apps and Desktops published resources. Two policies provide anti-keylogging and anti screen capturing capabilities in a Citrix HDX session.
System Requirements
应用功能需要具体的保护策略version of Citrix Workspace app and supports various endpoints. Special add-on license is required together with configuration changes on StoreFront and Delivery Controller servers. Refer to the system requirements inproduct documentationfor the most up to date requirements.
For the current list of Citrix Workspace App and endpoint Operating Systems supported, please refer toSystem Requirements. Additionally,Citrix Readyprovides third party endpoints that are supported by our partners.
Licenses
Valid Citrix licenses are required:
- Citrix Virtual Apps and Desktops
- App protection add-on license
- For Citrix DaaS, the App Protection feature is included as a part of certain Citrix Cloud service packages and licenses are provided directly on Citrix Cloud.
On-premises Citrix Virtual Apps and Desktops Infrastructure
The following server components are required only for on-premises deployments. For Citrix DaaS deployments, skip to theWorkspace Installationsection.
- StoreFront 1912 or higher
- Delivery Controller 1912 or higher
Installation - Delivery Controller
Note:
Following steps are only required for Citrix Virtual Apps and Desktops versions 1912, 2003 and 2006, app protection feature is automatically included in newer releases. Only required step on newer releases is to enable XML trust (first step).
Enable XML Trust by running the following command:
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
After you purchase the app protection feature, download the
FeatureTable.OnPrem.AppProtection.xmlfile from the Citrix Virtual Apps and Desktops 1912 or later download page.Note:
App Protection Policies XML file is located under Components
Click onDownload Fileand save it to local disk
On any Delivery Controller, launch PowerShell and load the Citrix PowerShell snap-ins using cmdlet
Add-PSSnapin Citrix*
- In PowerShell, navigate to folder where XML file has been downloaded
Enable the App protection feature with the following command:
Import-ConfigFeatureTable FeatureTable.OnPrem.AppProtection.xml
Verify that App Protection is enabled with the following command:
Get-ConfigEnabledFeature | Select-String –Pattern "AppProtection"
Installation - Licensing
- Download the license file and import it into the Citrix License Server alongside an existing Citrix Virtual Desktops license
- Use the Citrix Licensing Manager to import the license file. For more information, see安装许可证
Installation - Citrix Workspace app
Include the app protection component using one of the following methods:
For Windows:During Citrix Workspace app installation (for Windows), selectEnable app protectionand then clickInstallto continue with the installation or use the command-line switch
CitrixWorkspaceApp.exe /includeappprotection. For more information, seeApp protection sectionof Citrix Workspace app for Windows production documentation.
For macOS:App protection requires no specific installation or configuration on Citrix Workspace for Mac.
Note:
It is not possible to add App protection support to older clients. Uninstall old version of Citrix Receiver / Citrix Workspace app and install new version with App protection component.
ClickFinish
ClickYesto restart your computer
Configuration - Delivery Group
Anti-keylogging and anti screen capture protection is configured on delivery group level using PowerShell. There are two properties on each delivery group that affects the behavior of app protection policies:
AppProtectionKeyLoggingRequired- can be$True(enabled) or$False(disabled)AppProtectionScreenCaptureRequired- can be$True(enabled) or$False(disabled)
On any Delivery Controller, launch PowerShell and load the Citrix PowerShell snap-ins using cmdlet
Add-PSSnapin Citrix*To Enable App protection for the
Admin Desktopdelivery group, use the following command:Set-BrokerDesktopGroup -Name "Admin Desktop" -AppProtectionKeyLoggingRequired $True -AppProtectionScreenCaptureRequired $True
Validate the settings by running the following PowerShell command:
Get-BrokerDesktopGroup -Property Name, AppProtectionKeyLoggingRequired, AppProtectionScreenCaptureRequired | Format-Table -AutoSize
Testing - Citrix Workspace app for Windows
Following steps provides guidance for anti screen sharing testing only. To test anti-keylogging protection, we recommend consulting with your own security team.
Launch Citrix Workspace app and login
Click on a protected virtual app or virtual desktop (for example Admin Desktop) and launch the HDX session. If you don’t see protected resources, you are probably using web store or unsupported Citrix Receiver / Citrix Workspace app.
(Optional) If App protection is not installed, you get the following popup when trying to launch a protected virtual app or desktop. ClickYes
Note:
This option is not available with older versions of Citrix Receiver / Citrix Workspace app
Try to perform a screen capture
Confirm that you see a blank screen (expected behavior)
When testing anti-keylogging and anti screen capture protection, be aware of expected behavior:
- Anti-keylogging- This feature is active only when a protected window is in focus
- Anti screen capture- This feature is active when a protected window is visible (not minimized)
Another simple method to test the anti screen capture protection is to use one of the popular conference tools (GoToMeeting, Microsoft Teams, Zoom, or Slack). Screen sharing should not be possible when protection is enabled.