Citrix Secure Private Access

Terminate active user sessions and add users to the user block list

Admins can terminate all active end user sessions immediately and add the users to the user block list. Adding a user to this user block list terminates all active Secure Private Access application sessions and blocks future application access.

All active application sessions via Citrix Enterprise Browser, direct access, CWA for HTML5, and the Secure Access agent are terminated and blocked. All resources connected through the Secure Access agent such as file shares, RDP, SSH sessions are terminated and blocked as well. Blocked users cannot launch any new applications until they are removed from the blocked user list.

Note:

  • Adding a user to the user block list does not change or edit the configured Secure Private Access access policy. Access termination and blocking happen despite whatever access policy is configured. Once the user is removed from the list, the existing Secure Private Access access policies for the user are reinstated.
  • Only the access to published Secure Private Access applications is blocked. Internet access via Citrix Enterprise Browser is allowed or denied even after a user is added to the block list based on your web filtering configuration.

Use cases

You can use this feature in the following scenarios.

  • An employee quits the organization or is terminated from the organization. In this case, the admin revokes all Secure Private Access app access by terminating active Secure Private Access sessions and blocking any future app access.
  • A device is lost or stolen. In this case, the access is blocked and all current sessions are terminated. The user can be removed from the user block list after the situation is under control.
  • A user misuses the app access. In this case, access for the user can be immediately revoked. Access is blocked until the user is added to the list.

Add users to the user block list

  1. Navigate to Secure Private Access > Policies > Blocklist.
  2. In Domain, select the domain for which the access must be disabled.
  3. In User, search for the user name that must be added to the user block list. All user names that match the search criteria are displayed. If the user is removed from the directory service, then that user name does not appear in the User list.
  4. In Block duration (days), enter the number of days for which this user must be blocked. Once you add the user to the blocked list, they are blocked for 7 days by default. However, you can change the duration to anywhere between 1 and 99 days. After the duration ends, the user access is restored based on the user directory and policy configuration. Also, this value remains persistent for the user for future additions. For example, if an admin sets the block duration for a user at 30 days, this setting persists for the user for future additions.
  5. Click Block user.

    The user is added to the user block list. The following actions occur once the user is added to the user block list:

    • All active Secure Private Access sessions are immediately terminated.
    • Future access to all Secure Private Access published applications is blocked.
    • Internet access via Citrix Enterprise Browser is allowed even after a user is added to the user block list. Only access to published Secure Private Access applications is blocked.

Disable user access

You can restore the access even before the block duration ends by doing one of the following steps.

  • Select the access for which you must restore access and then click Restore access.
  • Click the restore icon in line with the user for which you want to restore access.

In both cases, a confirmation dialog appears.

Recommendations:

  • To revoke access for a user indefinitely, remove the user from your respective directory service, such as Active Directory, and then add them to the user block list. This terminates the user’s active Secure Private Access session, blocks future app access, and once the user is logged out of Workspace, the user cannot log in again due to inactive directory credentials.
Terminate active user sessions and add users to the user block list