Security

App Protection

App Protection feature is an add-on feature that provides enhanced security when using Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). The feature restricts the ability of clients to compromise with keylogging and screen capturing malware. App Protection prevents exfiltration of confidential information such as user credentials and sensitive information on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information. For more information, see App Protection

Disclaimer

App Protection policies filter the access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

To configure App Protection on Citrix Workspace app for Windows, see the Citrix Workspace app for Windows section in the Configuration article.

Note:

App Protection is supported only on upgrade from Version 1912 onwards.

ICA security

When a user launches an application or desktop, StoreFront generates ICA information, which contains instructions to the client on how to connect to the VDA.

In-memory hybrid launches

When the user launches a resource, StoreFront generates an ICA file containing instructions on how to connect to the resource. When launched within Citrix Workspace app for Windows, the ICA file is handled within memory and never saved to disk. When the user opens their store in a web browser and uses Citrix Workspace app for Windows to connect to the resource, this is known as a hybrid launch. Depending on configuration, there are a number of different ways in which the launch can occur, see StoreFront User access options. Citrix Workspace app for Windows supports Citrix Workspace launcher and Citrix Workspace web extensions for in-memory ICA launches from the users’ browser. It is recommended that you disable the user’s option to download ICA files to eliminate surface attacks and any malware that might misuse the ICA file when stored locally. To do this in StoreFront 2402 and higher see StoreFront documentation. To do this in Workspace see Workspace PowerShell documentation.

Prevent launching of ICA files from disk

Once you have ensured that your own system always use in-memory launches, Citrix recommends you disable launching ICA files from disk. This ensures users cannot open ICA files they have received from malicious sources by methods such as email. Use any of the following methods:

  • Global App Config Service.
  • Group Policy Object (GPO) Administrative template on the client.

Global App Config Service

You can use Global App Config Service from Citrix Workspace app 2106. Under Security and Authentication > Security Preferences, set the policy Block Direct ICA File Launches to enabled.

Group Policy

To block session launches from ICA files that are stored on the local disk using Group Policy, do the following:

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace > Client Engine.
  3. Select the Secure ICA file session launch policy and set it to Enabled.
  4. Click Apply and OK.

ICA file signing

The ICA file signing helps protect you from an unauthorized application or desktop launch. Citrix Workspace app verifies that a trusted source generated the application or desktop launch based on an administrative policy and protects against launches from untrusted servers. You can configure ICA file signing using the Group policy objects administrative template or StoreFront. The ICA file signing feature isn’t enabled by default.

For information about enabling ICA file signing for StoreFront, see ICA file signing in StoreFront documentation.

Configure ICA file signature

Note:

If the CitrixBase.admx\adml isn’t added to the local GPO, the Enable ICA File Signing policy might not be present.

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components.
  3. Select Enable ICA File Signing policy and select one of the options as required:
    1. Enabled - Indicates that you can add the signing certificate thumbprint to the allow list of trusted certificate thumbprints.
    2. Trust Certificates - Click Show to remove the existing signing certificate thumbprint from the allow list. You can copy and paste the signing certificate thumbprints from the signing certificate properties.
    3. Security policy - Select one of the following options from the menu.
      1. Only allow signed launches (more secure): Allows only signed application and desktop launches from a trusted server. A security warning appears when there’s an invalid signature. The session launch fails because of non-authorization.
      2. Prompt user on unsigned launches (less secure) - A message prompt appears when an unsigned or invalidly signed session is launched. You can choose to either continue the launch or cancel the launch (default).
  4. Click Apply and OK to save the policy.
  5. Restart the Citrix Workspace app session for the changes to take effect.

When selecting a digital signature certificate, we recommend you choose from the following priority list:

  1. Buy a code-signing certificate or SSL signing certificate from a public Certificate Authority (CA).
  2. If your enterprise has a private CA, create a code-signing certificate or SSL signing certificate using the private CA.
  3. Use an existing SSL certificate.
  4. Create a root CA certificate and distribute it to user devices using GPO or manual installation.

Inactivity timeouts

Timeout for Workspace sessions

Admins can configure the inactivity timeout value to specify the amount of idle time allowed before the users automatically sign out of the Citrix Workspace session. You’re automatically signed out of Workspace if the mouse, keyboard, or touch is idle for the specified interval of time. The inactivity timeout doesn’t affect the active virtual apps and desktops sessions or Citrix StoreFront stores.

To configure inactivity timeout, see Workspace documentation.

The end-user experience is as follows:

  • A notification appears in your session window three minutes before you’re signed out, with an option to stay signed in, or sign out.
  • The notification appears only if the configured inactivity timeout value is greater than or equal to five minutes.
  • Users can click Stay signed in to dismiss the notification and continue using the app, in which case the inactivity timer is reset to its configured value. You can also click Sign out to end the session for the current store.

Timeout for StoreFront sessions

When connected to a StoreFront store, Citrix Workspace app does not apply an inactivity timeout. If you are using a Citrix Gateway, you can configure the gateway’s session timeout. For more information, see StoreFront documentation.

Security