Browser restrictions through Secure Private Access for StoreFront
You can now configure web and SaaS apps in StoreFront using the Secure Private Access solution. Once after you configure the apps, end users can open the web and SaaS apps using Citrix Enterprise Browser with enhanced security.
For more information on Secure Private Access support for StoreFront, see:
-
Secure Private Access Overview in the Citrix Secure Private Access documentation.
Restrict end user access on Citrix Enterprise Browser
An administrator can apply the following access restrictions to Citrix Enterprise Browser for end users by using the Secure Private Access solution.
Restrict clipboard access
Disables cut, copy, and paste operations between the app and the endpoint’s clipboard.
For more information, see Clipboard in Citrix Secure Private Access product documentation.
Restrict printing
Disables the ability to print from within the app.
For more information, see Printing in Citrix Secure Private Access product documentation.
Restrict downloads
Disables the ability to download from within web and SaaS apps or copy files from the browser.
For more information, see Downloads in Citrix Secure Private Access product documentation.
Restrict upload
Disables the ability to upload files.
Note:
The restrict upload feature is available on:
- Windows 105.1.1.27 and later
- Mac 105.1.1.36 and later
For more information, see Uploads in Citrix Secure Private Access product documentation.
Display watermark
Overlays a screen-based watermark that shows the user name and public IP address of the endpoint.
Note:
The Restrict navigation option isn’t supported.
For more information, see Watermark in Citrix Secure Private Access product documentation.
App protection policies
Restrict keylogging
Protects users from keyloggers.
For more information, see Keylogging protection in Citrix Secure Private Access product documentation.
Restrict screen capturing
Disables capturing screenshots or screen recording for the app that this policy is applied to. This policy is applied as long as a protected tab is visible (not minimized) in your browser window.
For more information, see Screen capture in Citrix Secure Private Access product documentation.
Personal data masking
Administrators can use the Personal data masking restriction to mask various types of Personal Identifiable Information (PII) such as credit card numbers, social security numbers, and dates. The masked contents remain secured even when copied or printed, ensuring comprehensive safeguarding of sensitive information.
The Personal data masking restriction has the option to fully or partially mask the information. The Full masking option masks the information completely. The Partial masking option can be used to masks relevant areas of the information.
In the Partial masking option, administrators can choose how many characters to mask from the information, either from the beginning or the end. Respective text boxes are available to enter the character count.
Additionally, as an administrator, you have the flexibility to define the custom PII detection rules according to your requirements using regular expressions. This capability allows you to detect and mask specific information from the web page.
Note:
This feature supports only Regular expression 2 (RE2). For more information, see WhyRE2 and RE2 Syntax.
When you enable this restriction, Citrix Enterprise Browser detects the PII you choose to mask, then masks it, and displays a notification to end users.
Configuration
To know more information about configuring this restriction, see Personal data masking in the Citrix Secure Private Access documentation.
Note:
- When defining PII detection rules, we recommend you to test the regular expressions before deploying them.
- PII masking isn’t applicable to PDF files, images, and web pages with editable content.
For more information, see Personal data masking in Citrix Secure Private Access product documentation.
Clipboard restriction for Security groups
Administrators can manage clipboard restrictions either through Global App Configuration service (GACS) or Secure Private Access or a combination of the two. This minimizes the risk of unauthorized data transfers and data leakage, making it an essential feature for organizations with stringent security requirements.
Note:
For more information on managing clipboard restrictions through Global App Configuration service (GACS), see Clipboard restriction
Restrict clipboard access through Secure Private Access
When you manage the clipboard restriction through Secure Private Access, the restriction gets applied only to those apps’ URLs that are added for restriction.
Clipboard restriction using Security groups
To restrict clipboard access to specific apps that are configured in Citrix Secure Private Access and are opened in Citrix Enterprise Browser, administrators must create a Security groups and add those specific apps to it. This allows end users to copy and paste content only among the apps within that Security groups. For example, let’s assume you create a Security groups adding the apps Wikipedia, Pinterest, and Dribble. So, when users open these apps from Citrix Workspace, they can copy and paste content only among these three apps.
To create a Security groups and add any designated group of apps, see Create Security groups in the Citrix Secure Private Access product documentation.
If administrators need to enable copy and paste content between Security groups’ app and other local apps on their machines or unpublished apps, see Enable copy and paste between Security groups and other unpublished apps.
Note:
If administrators want to impose stricter restrictions on the specific apps within a Security groups, such as enabling or disabling copy and paste functionalities for a particular app within a Security groups, you can manage it by creating an access policy for that particular app. There are two access settings options, Copy and Paste, available inside an access policy rule security settings. For more information on this feature, see Enable granular level copy or paste in the Citrix Secure Private Access product documentation.
Enable copy and paste between Security groups and other unpublished apps
Administrators can even allow end users to perform copy and paste functionalities between the apps in the Security groups and the other unpublished apps opened in the Enterprise browser, or with other native apps present within the system. To manage that, you can use the Advanced clipboard settings option in the Security groups. You can choose any of the following options to manage the settings as per your requirements.
Allow copying of data from the security group to unpublished domains: Enable copying of data from apps in the Security groups to websites that are not published in Secure Private Access.
Allow copying of data from the security group to native apps: Enable copying of data from the apps in the Security groups to local apps on the machine.
Allow copying of data from the unpublished domains to the security group: Enable copying of data from the apps not published through Secure Private Access to websites in the Security groups.
Allow copying of data from native apps operating system the security group: Enable copying of data from local apps on the machine to the apps in the Security groups.
For more information, see the Advanced clipboard settings in the Citrix Secure Private Access product documentation.
Note:
- When you apply clipboard restriction through both GACS and Secure Private Access, the restriction applied through Secure Private Access takes precedence over GACS.
- The individual restrictions such as Copy, Paste, and Clipboard supersede the Clipboard restriction for Security groups.
For more information, see Clipboard restriction for security groups in Citrix Secure Private Access product documentation.
End-user experience
When the clipboard restrictions are enabled on any web pages, the following notification appears when users try to paste any contents to a restricted web page.
When the clipboard restriction is enabled, the Cut, Copy and Paste functionalities appear disabled on the right-click menu list. Alternatively, users have to use either keyboard shortcuts or access the Cut, Copy and Paste options from More ( ⋮ ) > Find and edit.
Upload restriction by file type
Administrators can restrict file uploads based on MIME (multi-purpose internet mail extensions) types. Unlike the Uploads policy, which allows you to enable or disable all file uploads, the Upload restriction by file type policy allows you to enable or disable file uploads for specific MIME types.
When an end user tries to upload a restricted file type, Citrix Enterprise Browser displays a warning message.
For more information on configuring this restriction, see Upload restriction by file type in Citrix Secure Private Access documentation.
Download restriction by file type
Administrators can restrict file downloads based on MIME (multi-purpose internet mail extensions) types. Unlike the Downloads policy, which allows you to enable or disable all file downloads, the Download restriction by file type policy allows you to enable or disable file downloads for specific MIME types.
For more information on configuring this restriction, see Download restriction by file type in Citrix Secure Private Access documentation.
Note:
When both Uploads and Upload restriction by file type restrictions are enabled in a policy, the Uploads restriction takes precedence over the other. Similarly, when both Downloads and Download restriction by file type restrictions are enabled in a policy, the Downloads restriction takes precedence over the other.
Printer management
Enterprises can now prevent the printing of confidential documents and unauthorized data sharing. Admins can configure this policy through Secure Private Access. Admins can configure the behavior for network printers, local printers, and print using the Save as PDF option.
In Windows:
In Mac:
The following options are available for administrators to control access to printers for the end users:
-
Network printers: A network printer is a printer that can be connected to a network and used by multiple users.
- Disabled: Printing from any network printers in the network is disabled.
- Enabled: Printing from all network printers is enabled. If printer hostnames are specified, then all other network printers apart from the ones specified are blocked.
Note:
Printers are identified by their hostnames.
-
Local printers: A local printer is a device directly connected to an individual computer. This connection is typically facilitated through Bluetooth, USB, parallel ports, or other direct interfaces.
- Disabled: Printing from all local printers is disabled.
- Enabled: Printing from all local printers is enabled.
-
Print using Save as PDF
- Disabled: The Save as PDF option for saving the content in PDF format is disabled.
- Enabled: The Save as PDF option for saving the content in PDF format is enabled.
Note:
- If the admin has disabled certain printing options, then those options appear grayed out to the end users.
- End users can’t use the network printer if it is renamed on their device.
For more information, see Printer management in Citrix Secure Private Access product documentation.