Security
App Protection
App Protection is an add-on feature that provides enhanced security when using Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). Use this feature to:
- restrict the ability of clients to compromise with keylogging and screen capturing malware.
- protect exfiltration of confidential information such as user credentials and sensitive information on the screen.
- prevent users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information. For more information, see App Protection.
Disclaimer
App Protection policies filter the access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.
To configure App Protection on Citrix Workspace app for Windows, see the Citrix Workspace app for Windows section in the Configuration article.
Note:
App Protection is supported only on upgrade from version 1912 onwards.
ICA security
When a user launches an app or desktop, StoreFront generates ICA information, which contains instructions to the client on how to connect to the VDA.
In-memory hybrid launches
When the user launches a resource, StoreFront generates an ICA file containing instructions on how to connect to the resource. When launched within Citrix Workspace app for Windows, the ICA file is handled within memory and never saved to disk.
When the user opens their store in a web browser and uses Citrix Workspace app for Windows to connect to the resource, it is known as a hybrid launch. Depending on configuration, there are various ways in which the launch can occur, see StoreFront User access options.
Citrix Workspace app for Windows supports Citrix Workspace launcher and Citrix Workspace web extensions for in-memory ICA launches from the user’s browser. It is recommended that you disable the user’s option to download ICA files. This eliminates surface attacks and any malware that might misuse the ICA file when stored locally. To disable the user’s option to download ICA files in StoreFront 2402 and higher, see StoreFront documentation. To disable the user’s option to download ICA files in Workspace, see Workspace PowerShell documentation.
Prevent launching of ICA files from disk
Once you have ensured that your own system always uses in-memory launches, Citrix recommends you to disable launching ICA files from disk. So the users cannot open ICA files they have received from malicious sources by methods such as email. You can disable launching of ICA files from disk, by using any of the following methods:
- Global App Config service
- Group Policy Object (GPO) Administrative template on the client
Global App Config service
You can use the Global App Configuration service from Citrix Workspace app 2106. Under Security and Authentication > Security Preferences, set the policy Block Direct ICA File Launches to enabled.
Group Policy
To block session launches from ICA files that are stored on the local disk using Group Policy, do the following:
- Open the Citrix Workspace app GPO administrative template by running
gpedit.msc. - Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace > Client Engine.
- Select the Secure ICA file session launch policy and set it to Enabled.
- Click Apply and then OK.
ICA file signing
The ICA file signing helps protect you from an unauthorized app or desktop launch. Citrix Workspace app verifies that a trusted source generated the app or desktop launch based on an administrative policy and protects against launches from untrusted servers. You can configure ICA file signing using the GPO administrative template or StoreFront. The ICA file signing feature isn’t enabled by default.
For information about enabling ICA file signing for StoreFront, see ICA file signing in StoreFront documentation.
Configure ICA file signature
Note:
If the CitrixBase.admx\adml isn’t added to the local GPO, the Enable ICA File Signing policy might not be present.
- Open the Citrix Workspace app GPO administrative template by running gpedit.msc
- Under the Computer Configuration node, go to Administrative Templates > Citrix Components.
- Select the Enable ICA File Signing policy and select one of the options as required:
- Enabled - Indicates that you can add the signing certificate thumbprint to the allow list of trusted certificate thumbprints.
- Trust Certificates - Click Show to remove the existing signing certificate thumbprint from the allow list. You can copy and paste the signing certificate thumbprints from the signing certificate properties.
- Security policy - Select one of the following options from the menu.
- Only allow signed launches (more secure): Allows only signed app and desktop launches from a trusted server. A security warning appears when there’s an invalid signature. The session launch fails because of non-authorization.
- Prompt user on unsigned launches (less secure) - A message prompt appears when an unsigned or invalidly signed session is launched. You can choose to either continue the launch or cancel the launch (default).
- Click Apply and then OK to save the policy.
- Restart the Citrix Workspace app session for the changes to take effect.
When selecting a digital signature certificate, we recommend you choose from the following priority list:
- Buy a code-signing certificate or SSL signing certificate from a public Certificate Authority (CA).
- If your enterprise has a private CA, create a code-signing certificate or SSL signing certificate using the private CA.
- Use an existing SSL certificate.
- Create a root CA certificate and distribute it to user devices using GPO or manual installation.
Inactivity timeouts
Timeout for Workspace sessions
Admins can configure the inactivity timeout value to specify the amount of idle time allowed before the users automatically sign out of the Citrix Workspace session. You’re automatically signed out of Workspace if the mouse, keyboard, or touch is idle for the specified interval of time. The inactivity timeout doesn’t affect the active virtual apps and desktops sessions or Citrix StoreFront stores.
To configure inactivity timeout, see the Workspace documentation.
The end-user experience is as follows:
- A notification appears in your session window three minutes before you’re signed out, with an option to stay signed in or sign out.
- The notification appears only if the configured inactivity timeout value is greater than or equal to five minutes.
- Users can click Stay signed in to dismiss the notification and continue using the app, in which case the inactivity timer is reset to its configured value. You can also click Sign out to end the session for the current store.
Timeout for StoreFront sessions
When connected to a StoreFront store, Citrix Workspace app does not apply an inactivity timeout. If you are using a Citrix Gateway, you can configure the gateway’s session timeout. For more information, see the StoreFront documentation.