Citrix Virtual Apps and Desktops

Composite Devices and Device Splitting

A composite USB device is a single device that acts like multiple independent USB devices connected to a computer. It has a single USB connector but it can expose multiple interfaces to the computer with each having its own set of functionalities. When a user plugs in a composite USB device, the host device checks for all functions (interfaces) against each policy rule. If the first match for any function(interface) is a Deny rule, the rule is considered definitive for the composite device and the device is denied. If the first match for a function (interface) is an Allow rule, the host device continues to match the rules against the next function (interface). The composite device is allowed if no function (interface) is denied by a policy rule. If definitive match for composite device is a Deny Rule, the device is available only to the local desktop otherwise the device is remoted to the virtual desktop. If no match is found, default rules are used.

Device_Splitting

We can split the composite device using the appropriate rules in the Device redirection rules (Version 2) policy to allow only specific functionality of a composite device. For instance, we may want to use just the HID functions of a FIDO2 key but not the smartcard functionality. In that case, we would set the rules as illustrated below:

  1. Connect: VID=1050 PID=0407 class=03 split=01 intf=00,01 #Yubikey series 5 allowed FIDO2 HID functions.

  2. Deny: VID=1050 PID=0407 split=01 intf=02 # Yubikey series 5 smartcard function blocked.

Tip:

When creating new policy rules, refer to the USB Class Codes, available on the USB web site.

Configuring a signature pad

  1. Install the appropriate device driver on the VDA host.

  2. Enable the Client USB device redirection policy setting in Citrix Web Studio.

  3. Edit the Client USB device redirection rules (Version 2) policy setting.

    1. Set the VID and PID information for the signature pad that needs to be redirected and click Save. For example: Connect: VID=06A8 PID=0057 class=03 #Topaz HSB
  4. Edit the policy setting Client USB device optimization rules.

    1. Set the mode along with other device information. For example: Mode=00000004 VID=06A8 PID=0057 class=03 #Input device operating in capture mode
  5. Edit the policy setting Allow existing USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  7. Edit the policy setting Allow newly arrived USB devices to be automatically connected.

  8. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Once these settings are configured, subsequent session launches will have the device getting automatically redirected and will not require any additional end user action.

Note:

Replace the VID and PID with the actual VID and PID of the device to be redirected.

Configuring Bloomberg keyboard using USB redirection

  1. Enable the Client USB device redirection policy setting in Citrix Web Studio.

  2. Bloomberg 5 keyboards are set by default in the Client USB device redirection rules (Version 2) policy setting and no additional admin action is needed.

  3. Edit the policy setting Allow existing USB devices to be automatically connected.

  4. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  5. Edit the policy setting Allow newly arrived USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Once these settings are configured, Bloomberg keys will automatically be presented in subsequent HDX sessions and will not require any additional end user action.

Configuring a FIDO2 key using USB redirection

Citrix recommends using FIDO2 redirection for using FIDO2 keys in your HDX sessions. However, there might be situations in which you must redirect FIDO2 keys using USB redirection instead. These include scenarios where FIDO2 redirection is not available because the feature is not supported by the client, the VDA, or the operating system (e.g. Windows Server 2016).

There can also be situations in which the key has multiple modes enabled, but you only want to allow a subset of those in your HDX sessions. For example, you might want to allow FIDO2 and OTP, but block the smart card.

The following steps illustrate how you can configure a FIDO2 key using USB redirection (Yubikey vid=1050, pid=0407).

  1. Enable the Client USB device redirection policy setting in Citrix Web Studio.

  2. Edit the Client USB device redirection rules (Version 2) policy setting.

    1. Set the VID and PID information as well as the split device configuration for the FIDO2 key to be redirected in the session and click Save.

    2. Connect: VID=1050 PID=0407 class=03 split=01 intf=00,01 #Yubikey series 5 allowed FIDO2 HID functions.

    3. Deny: VID=1050 PID=0407 split=01 intf=02 # Yubikey series 5 smartcard function blocked.

  3. Edit the policy setting Allow existing USB devices to be automatically connected.

  4. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  5. Edit the policy setting Allow newly arrived USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Once these settings are configured, FIDO2 keyboards will automatically be presented in subsequent HDX sessions and will not require any additional end user action.

Configuring a 3-d mouse using USB redirection

Today, the 3dConnexion space mouse drivers are only supported on workstation OSes (Win 10 and Win11). They do not work on server OS. The following are the steps to configure a SpaceMouse Enterprise on a workstation OS (vid=046D, pid=C016).

  1. Install the latest Windows driver on the VDA host.

  2. Enable the Client USB device redirection policy setting in Citrix Web Studio.

  3. Edit the Client USB device redirection rules (Version 2) policy setting.

    1. Set the VID and PID information for the signature pad that needs to be redirected and click Save. For example: Connect: VID=046D PID=C016 #SpaceMouse Enterprise
  4. Edit the policy setting Client USB device optimization rules.

    1. Set the mode along with other device information. For example: Mode=00000004 VID=046D PID=C016 class=03 #Input device operating in capture mode
  5. Edit the policy setting Allow existing USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  7. Edit the policy setting Allow newly arrived USB devices to be automatically connected.

  8. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Configuring two or more devices using USB redirection with different device rules

Multiple devices can be redirected inside the HDX session with different device rules. An admin may want to redirect one device automatically while providing an option to the end user to redirect the other device. The following are the steps to configure two devices with different rules.

  1. Enable the Client USB device redirection policy setting in Citrix Web Studio.

  2. Edit the Client USB device redirection rules (Version 2) policy setting.

    1. Add the VID and PID information of the two devices to be redirected with the appropriate device rule in the session and click Save.

    2. Allow: VID=0911 PID=0c1c #Phillips speech mic.

    3. Connect: VID=06A8 PID=0043 class=03 # Topaz HSB signature pad

  3. Edit the policy setting Allow existing USB devices to be automatically connected.

  4. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

  5. Edit the policy setting Allow newly arrived USB devices to be automatically connected.

  6. Clear the Use default value checkbox and select Automatically redirect available USB devices from the drop down menu and click Save.

Once these settings are configured, the Topaz HSB signature pad will automatically be presented in subsequent HDX sessions and will not require any additional end user action. The Phillips speech mic on the other hand will require the end user to enable redirection in Connection Center or in the Devices tab of CDViewer.

Composite Devices and Device Splitting