Product documentation
Citrix Secure Private Access
2411-Current Release 2408 2407 2405 2402
View PDF

Terminate active sessions and add users/machines to the block list

January 20, 2025
Contributed by: 
C

Admins can terminate all active sessions immediately and add the users/machines to the block list. Adding a user/machine to the block list terminates all active Secure Private Access application sessions and blocks future application access.

All active application sessions via Citrix Enterprise Browser, direct access, CWA for HTML5, and the Secure Access agent are terminated and blocked. All resources connected through the Secure Access agent such as file shares, RDP, SSH sessions are terminated and blocked as well. Users cannot launch any new applications until the users/machines are removed from the blocked list.

Note:

  • Adding a user/machine to the block list does not change or edit the configured Secure Private Access access policy. Access termination and blocking happen despite whatever access policy is configured. Once the user/machine is removed from the list, the existing Secure Private Access access policies for the user are reinstated.
  • Only the access to published Secure Private Access applications is blocked. Internet access via Citrix Enterprise Browser is allowed or denied even after a user/machine is added to the block list based on your web filtering configuration.

Use cases

You can use this feature in the following scenarios.

  • An employee quits the organization or is terminated from the organization. In this case, the admin revokes all Secure Private Access app access by terminating active Secure Private Access sessions and blocking any future app access.
  • A device is lost or stolen. In this case, the access is blocked and all current sessions are terminated. The user can be removed from the block list after the situation is under control.
  • A user misuses the app access. In this case, access for the user can be immediately revoked. Access is blocked until the user is added to the list.

Add users/machines to the block list

  1. Navigate to Secure Private Access > Policies > Blocklist.
  2. In Domain, select the domain for which the access must be disabled.

  3. In User, search for the user name that must be added to the block list. All user names that match the search criteria are displayed. If the user is removed from the directory service, then that user name does not appear in the User list.

    Note:

    The User field appears only if the Users tab is selected.

    Disable user access

  4. In Machine, search for the machine name that must be added to the block list. All machine names that match the search criteria are displayed. If the machine is removed from the directory service, then that machine name does not appear in the User list.

    Note:

    The Machine field appears only if the Machines tab is selected.

    Disable user access

  5. In Block duration (days), enter the number of days for which this user/machine must be blocked. Once you add the user/machine to the blocked list, they are blocked for 7 days by default. However, you can change the duration to anywhere between 1 and 99 days. After the duration ends, the access is restored based on the user directory and policy configuration. Also, this value remains persistent for the user for future additions. For example, if an admin sets the block duration for a user/machine at 30 days, this setting persists for the user/machine for future additions.

  6. Click Block user or Block machine accordingly.

    Note:

    The Block user or the Block machinefield appears depending on the tab (Users or Machines) that is selected.

    The user/machine is added to the block list.

Recommendations:

  • You can restore the access even before the block duration ends by doing one of the following steps.
    • Select the access for which you must restore access and then click Restore access.

    • Click the restore icon in line with the user for which you want to restore access.

      In both cases, a confirmation dialog appears.

  • To revoke access for a user/machine indefinitely, remove the user/machine from your respective directory service, such as Active Directory, and then add them to the block list. This terminates the active Secure Private Access sessions, blocks future app access, and once the user/machine is logged out of Workspace, the user/machine cannot log in again due to inactive directory credentials.

End user experience after a user/machine is added to the block list

When an user is blocked:

  • All active Secure Private Access sessions are immediately terminated.
  • Future access to all Secure Private Access published applications is blocked.
  • Internet access via Citrix Enterprise Browser is allowed even after a user is added to the block list. Only access to published Secure Private Access applications is blocked.

When a machine is blocked:

  • Once a machine is added to the block list, the user’s access to all currently running applications is blocked.
  • Any attempt to access new applications triggers a logout request.
Terminate active sessions and add users/machines to the block list
January 20, 2025
Contributed by: 
C
January 20, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.