Citrix Workspace app

App Protection

July 24, 2024

Contributed by:

C K I

App Protection is a feature for the Citrix Workspace app that provides enhanced security when using virtual desktops, virtual apps, web and SaaS apps. App Protection is supported for on-premises Citrix Virtual Apps and Desktops deployments, and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) with StoreFront and Workspace. It means that App Protection is supported on all cloud environments, on-premises environments, and hybrid environments. App Protection is also supported when you are connecting to StoreFront or Workspace via ADC Gateway.

For more information on App Protection features, see Features and Configure sections.

After buying this feature, make sure you enable the App Protection license.

Disclaimer:

App Protection policies work by filtering access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). Doing so means that App Protection policies can provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.

Citrix App Protection policies work effectively with underlying operating system components, including ICA files. Citrix might not provide support if intentional tampering or modification of the underlying components is detected, to provide the integrity of policies applied.

App Protection behavior on different environments

The behavior of App Protection depends on how you access the resources that are configured with App Protection policies. These resources include Virtual Apps and Desktops, internal web apps, and SaaS apps. You can access these resources using a supported native Citrix Workspace app client or a web browser. App Protection performs varyingly on different environments:

Unsupported Citrix Receivers or Citrix Workspace apps - The resources that are configured with App Protection policies are not available.
Supported Citrix Workspace app versions - The resources that are configured with App Protection policies are available and launches properly.
Hybrid launch using Workspace store URL - The resources that are configured with App Protection policies are always available. To successfully launch the resources on a web browser using the Workspace store URL, see App Protection for hybrid launch for Workspace.
Hybrid launch using StoreFront store URL - The resources that are configured with App Protection policies are not available if the StoreFront customization is not deployed. To successfully launch the resources on a web browser using the StoreFront store URL, see App Protection for hybrid launch for StoreFront.

Protection is applied under the following conditions:

Anti-screen capture – For Citrix Workspace app for Windows and Citrix Workspace app for Mac, it is enabled if any protected window is visible on the screen. To disable protection, minimize all protected windows. For Citrix Workspace app for Linux, it is enabled if any protected window is active. To disable protection, close all protected windows.
Anti-keylogging – Enabled if a protected window is in focus. To disable protection, change focus to another window.

What does App Protection protect?

App Protection protects the following Citrix windows:

Citrix sign in windows
Citrix Workspace app HDX session windows (For example, managed desktop)
Self-Service (Store) windows
Web and SaaS apps
- Citrix Workspace app for Windows and Citrix Workspace app for Mac - Web and SaaS apps open in the Citrix Enterprise Browser. If the apps are configured to have the App Protection policies through the Citrix Secure Private Access, then App Protection is applied on a per tab basis.
- Citrix Workspace app for Linux - Citrix Enterprise Browser is not supported.

Note:

To offer the App Protection solution, few Citrix signed DLLs such as ctxapclient32.dll, ctxapclient64.dll, and FeatureFlagHelper64.dll might be injected into other processes. These DLLs are harmless and it is safe to have the traces of these DLLs in the log files of other processes.

What doesn’t App Protection protect?

The following items under the Citrix Workspace apps icon in the navigation bar:
- Connections Center
- All links under Advanced Preferences
- Personalize
- Check for Updates
- Sign Out
If you choose to protect a virtual desktop with anti-screen-capturing, users can still screen share from apps within the virtual desktop. However, for the apps outside of the virtual desktop, you can’t take screenshots, or record the virtual desktop.

Limitations

The following limitations exist by design:

App Protection enabled virtual apps and desktops are blocked from launching when accessed within RDP sessions.
Within the RDP session, App Protection isn’t supported on the Web and SaaS apps opened using the Citrix Enterprise Browser.
App Protection is not supported in double-hop and multiple-hop scenarios.
App Protection is not supported if you’re on an unsupported version of the Citrix Workspace app or Citrix Receiver. In that case, resources are hidden.
When the App Protection features are applied to virtual apps and desktops, outgoing screen sharing might be affected if optimization is used.
Citrix Workspace app with App Protection might not be compatible with some other security solutions or apps using similar underlying technology.
App Protection is not supported when you launch resources from within the Citrix Secure Browser, or with Remote Browser Isolation.
In Citrix Workspace app for Linux, you’re unable to use snap applications when App Protection is installed.

Contextual App Protection

Contextual App Protection provides the granular flexibility to apply the App Protection policies conditionally for a subset of users - based on users, their device, and the network posture. For more information, see the following articles:

App Protection for hybrid launch

Hybrid launch of Citrix Virtual Apps and Desktops is when you log in to Citrix Workspace app through the browser (Citrix Workspace for Web), and use the applications through the native Citrix Workspace app. The term hybrid is the result of users applying the combination Citrix Workspace app for Web and the native Citrix Workspace app to connect and use the resources. App Protection supports hybrid launch in Workspace and StoreFront. For more information, see the following articles:

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

App Protection

July 24, 2024

Contributed by:

C K I

July 24, 2024

Contributed by:

C K I

App Protection

App Protection behavior on different environments

What does App Protection protect?

What doesn’t App Protection protect?

Limitations

Contextual App Protection

App Protection for hybrid launch

In this article