Configure App Protection

App Protection provides enhanced security when you use the Citrix Workspace app. The feature restricts the ability of clients to be compromised with keylogging and screen-capturing malware. App Protection prevents exfiltration of confidential information, such as user credentials and sensitive information displayed on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information.

This article explains how to configure App Protection on Citrix Workspace app on different platforms.

App Protection is available on Citrix Workspace app for the following platforms:

Disclaimer

App Protection policies filter the access to required functions of the underlying operating system. Specific API calls are required to capture screen or keyboard presses. App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.

Citrix Workspace app for Windows

Prerequisites

  • Citrix Virtual Apps and Desktops Version 1912 LTSR or later.
  • StoreFront version 1912 LTSR or Workspace.
  • Citrix Workspace app version 2203.1 LTSR or later.
  • A valid App Protection license
  • Starting from Citrix Workspace app version 2212, the App Protection component is installed by default during the Citrix Workspace app installation.

    The Enable App Protection checkbox that appears during the installation is replaced with Start App Protection after installation.

    • For Citrix Workspace app versions before 2311:

      Start App Protection after installation - Citrix Workspace app versions before 2311

    • From Citrix Workspace app version 2311 onwards:

      Start App Protection after installation - Citrix Workspace app version 2311 onwards

    When you select this checkbox, App Protection starts immediately after the installation.

    Note:

    If you don’t enable this checkbox, App Protection automatically starts upon the first start of a protected resource or component for customers who are entitled to App Protection.

Configure

Configure the following App Protection features for Citrix Workspace app for Windows:

Limitations

  • This feature is supported only on desktop operating systems such as Windows 11 and Windows 10.
  • Starting with Version 2006.1, Citrix Workspace app isn’t supported on Windows 7. So, App Protection doesn’t work on Windows 7. For more information, see Deprecation.
  • This feature isn’t supported over Remote Desktop Protocol (RDP).

Command-line interface

You can start the App Protection component using the /startappprotection command line parameter. However, the previous /includeappprotection switch is deprecated.

The following table provides information on screens protected depending on deployment:

App Protection deployment Screens protected Screens not protected
Included in Citrix Workspace app Self-service plug-in and Authentication manager / User credentials dialog Connection Center, Devices, Citrix Workspace app error messages, Auto client reconnect, Add account
Configured on the Controller ICA session screen (both apps and desktops) Connection Center, Devices, Citrix Workspace app error messages, Auto client reconnect, Add account

When you’re taking a screenshot, only the protected window is blacked out. You can take a screenshot of the area outside the protected window. However, if you’re using the PrtScr key to capture a screenshot on a Windows 10 device, you must minimize the protected window.

Previously, anti-screen capture and anti-keylogging capabilities were enforced by default for Citrix authentication and Citrix Workspace app screens. However, starting from 2212, these capabilities are disabled by default and need to be configured using the Group Policy Object.

Note:

This GPO policy isn’t applicable for ICA and SaaS sessions. The ICA and SaaS sessions continue to be controlled using the Delivery Controller and Citrix Secure Private Access.

App Protection enhancement:

From Citrix Workspace app for Windows 2305 and later, anti-keylogging is enabled on the authentication and self-service plug-in screens if one of the following criteria is met:

  • You have enabled App Protection using one of the following:
    • Select the Start App Protection checkbox during installation.
    • Start the App Protection component using the /startappprotection command line parameter.
  • If you haven’t selected the Start App Protection checkbox or used the /startappprotection command line parameter during the installation, then the anti-keylogging protection is enabled after launching the first protected resource.

Note:

The Global App Configuration service and Group policy objects settings override the preceding behavior. For example, if you’ve disabled the GACS or GPO policy for these screens, then the anti-keylogging isn’t enabled on the authentication and SSP screens.

Citrix Workspace app for Linux

Starting with version 2108, the App Protection feature is now fully functional. This feature supports the Virtual Apps and Desktops, and is enabled by default. However, you must configure the App Protection feature in the AuthManConfig.xml file to enable it for the authentication manager and the self-service plug-in interfaces.

Prerequisite

App Protection works best with the following operating systems along with the Gnome Display Manager:

  • 64-bit Ubuntu 22.04, Ubuntu 20.04, and Ubuntu 18.04
  • 64-bit Debian 10 and Debian 9
  • 64-bit CentOS 7
  • 64-bit RHEL 7
  • ARMHF 32-bit Raspberry Pi OS (Based on Debian 10 (buster))
  • ARM64 Raspberry Pi OS (Based on Debian 11 (bullseye))

Note:

If you’re using Citrix Workspace app earlier than version 2204, the App Protection feature does not support the operating systems that use glibc 2.34 or later.

If you install the Citrix Workspace app with App Protection feature enabled on the OS that uses glibc 2.34 or later, the OS boot might fail on restarting the system. To recover from the OS boot failure, do one of the following:

  • Reinstall the OS.
  • Go to Recovery mode of the OS and uninstall the Citrix Workspace app using the terminal.
  • Boot through the live OS and remove the rm -rf /etc/ld.so.preload file from the existing OS.

Installing the App Protection component

  1. When you install the Citrix Workspace app using the tarball package, the following message appears: Do you want to install the App Protection component? Warning: You can’t disable this feature. To disable it, you must uninstall Citrix Workspace app. For more information, contact your system administrator. [default $INSTALLER_N]:

  2. Enter Y to install the App Protection component. App Protection isn’t installed by default.

  3. Restart your machine for the changes to reflect. App Protection works as expected only after you restart your machine.

Installing the App Protection component on RPM packages

Starting with Version 2104, App Protection is supported on the RPM version of Citrix Workspace app.

To install App Protection, do the following:

  1. Install Citrix Workspace app.
  2. Install the App Protection ctxappprotection<version>.rpm package from the Citrix Workspace app installer.
  3. Restart the system for the changes to reflect.

Installing the App Protection component on Debian packages

Starting with Version 2101, App Protection is supported on the Debian version of Citrix Workspace app.

To install the App Protection component, run the following command from the terminal before installing Citrix Workspace app:

export DEBIAN_FRONTEND="noninteractive"
sudo debconf-set-selections <<< "icaclient app_protection/install_app_protection select yes"

sudo debconf-show icaclient
* app_protection/install_app_protection: yes

sudo apt install -f ./icaclient_<version>._amd64.deb
<!--NeedCopy-->

Starting with Version 2106, Citrix Workspace app introduces an option to configure the anti-keylogging and anti-screen capturing functionalities separately for both the authentication manager and self-service plug-in interfaces.

Configure

Configure the following App Protection features for Citrix Workspace app for Linux:

Upgrade

Note:

AppProtection service does not currently support upgrades. If it is installed alongside the Citrix Workspace, upgrading the Citrix Workspace might break the AppProtection service. To prevent any issues during the upgrade, we recommend uninstalling the old version of Citrix Workspace and restart the machine before installing the new version. For more information, see Install, Uninstall, and Update

Citrix Workspace app for Mac

Configure the following App Protection features for Citrix Workspace app for Mac:

Citrix Workspace app for iOS

Starting with version 24.9.0, the App Protection feature is fully functional. This feature supports the following and is enabled by default.

  • Virtual Apps and Desktops
  • Internal web and SaaS apps
  • Authentication screens

Anti-keylogging

Prerequisites

  • Citrix Virtual Apps and Desktops Version 1912 LTSR or later.
  • StoreFront version 1912 LTSR or Workspace.
  • Citrix Workspace app for iOS version 24.7.0 or later.
  • A valid App Protection license

Anti-keylogging enabled

Disclaimer:

App Protection policies work by filtering access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). This means that App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys emerge. While we continue to identify and address them, we can’t guarantee full protection in specific configurations and deployments.

Configuration

You can configure the Anti-keylogging and Anti-screen capture features for the following for Citrix Workspace app for iOS:

Using Global App Configuration service

You can configure the Anti-screen capture feature for the authentication screen using:

  • Using UI
  • Using API

Using UI:

Starting with Citrix Workspace app for iOS 24.7.0 version, Citrix Workspace app allows you to configure App Protection for authentication screens using Global App Configuration service (GACS).

If you enable the anti-screen capturing functionality using the GACS, they’re applicable to the authentication screen.

Administrators can configure App Protection using the Workspace Configuration UI:

  1. Sign in to your Citrix Cloud account and select Workspace Configuration.

    Workspace configuration

  2. Select App Configuration > Security and Authentication > App Protection.

    Security and authentication

  3. Click Anti Key Logging and then select the iOS Operating System.

  4. Click Anti Screen Capture and then select the iOS Operating System.

  5. Click the Enabled toggle button and then click Publish Drafts.

  6. In the Publish Settings dialog box, click Yes.

    Publish settings

Using API:

The administrators can use the API to configure the App Protection features. The settings are as follows for Citrix Workspace app for iOS:

Setting to enable or disable anti-screen capturing:

“name”: “enable anti screen capture for auth ” “value”: “true” or “false”
<!--NeedCopy-->

Setting to enable or disable anti-keylogging:

“name”: “enable anti key-logging for auth ” “value”: “true” or “false”
<!--NeedCopy-->

Example:

Following is a sample JSON file to enable anti-screen capture and anti-keylogging features for Citrix Workspace app in GACS:

{
          "category": "App Protection",
          "userOverride": false,
          "assignedTo": [
            "AllUsersNoAuthentication"
          ],
          "settings": [{
            "name": "Enable Anti Screen Capture For Auth",
            "value": "true"
          },
          {
            "name": "Enable Anti Key Logging For Auth",
            "value": "true"
          }]
        }

<!--NeedCopy-->
Using Unified Endpoint Management solutions

Starting with the 24.7.0 version of Citrix Workspace app for iOS, administrators can enable App Protection feature for the authentication screen. Administrators can configure this feature using an AppConfig-based key-value pair.

  • For enabling anti-screen capture:
    • Key: enableAntiScreenCaptureForAuth
    • value type: Boolean
    • value:
      • If set to true, the anti-screen capture feature is enabled.
      • If set to false, the anti-screen capture feature is enabled.
  • For enabling anti-keylogging:
    • Key: enableAntiKeyLoggingForAuth
    • value type: Boolean
    • value:
      • If set to true, the anti-keylogging feature is enabled.
      • If set to false, the anti-keylogging feature is enabled.

Steps to disable custom keyboards

When the anti-keylogging feature is enabled and the Use Custom keyboards toggle switch is turned on, you can’t open virtual apps, virtual desktops, web apps, or SaaS apps and the following alert message appears:

Anti-keylogging enabled

To disable the custom keyboard, do the following:

  1. Click Keyboard Options in the preceding alert dialog box.

  2. Clear Use Custom keyboards from the store settings. The Disable Custom Keyboards dialog box appears.

  3. Click Exit in the Disable Custom Keyboards dialog box. The Exiting dialog box appears.

  4. Click OK. Citrix Workspace app exits and then restarts automatically to reflect the changes.

Limitations

  • Keylogging prevention:

    Keylogging prevention is only effective through soft keyboards. Hardware keyboards are not protected by the anti-keylogging feature.

  • Anti-keylogging for Authentication Screen:

    Anti-keylogging is not supported for the authentication screen when multiple stores are added or when a store is deleted.

  • System browsers:

    The anti-keylogging feature for the authentication screen is not supported when using system browsers.

  • Web interface authentication screen:

    Anti-screen capture and anti-keylogging features aren’t supported on the web interface authentication screen.

Anti-screen capture

From the Citrix Workspace app for iOS 24.7.0 version, the following features are enabled:

  • Anti-screen capture - This feature prevents unauthorized screen captures, recordings, QuickTime screen mirroring, screen sharing, and app switching. Anti-screen capture feature is available for authentication screen, web or SaaS apps, and Citrix Virtual Apps and Desktops. When you capture a screen, a custom message Screen Capture is disabled by your administrator for security reasons is shown in the capture media instead of the actual content displayed on the screen. Anti-screen capture protects against various forms of unauthorized screen access such as:

    • Screenshot: Prevents screenshots from being taken.
    • Screen recording: Blocks screen recording software.
    • Screen mirroring: Disables mirroring of the screen to other devices.
    • Screen share: Restricts screen sharing functionality.
    • App switcher: Prevents sensitive information from being visible in app switcher previews.

    Screen capture disabled

Anti-screen multi-monitor support

With this feature, App Protection extends its protection to all connected screens, ensuring that screenshots are protected on external multi-monitors. The contents on both the iPad and the external monitor are protected.

The external display is protected in all the three modes:

Select Mode

  • Mirror: Allows you to mirror the display on the external monitor connected to the iPad. With anti-screen protection, both screens are protected, preventing unauthorized screenshots from capturing the content.
  • Presentation: Allows you to present the desktop on an external monitor while using the iPad screen as a trackpad. Anti-screen protection ensures that both the content on the external monitor during presentations and the iPad’s display are protected.
  • Extend: Allows you to display different views or screens on each display. Anti-screen protection extends to both the iPad and the external monitor, ensuring that the screenshots are protected.

Citrix Workspace app for Android

Prerequisites

  • Citrix Virtual Apps and Desktops Version 1912 LTSR or later.
  • StoreFront version 1912 LTSR or Workspace.
  • Citrix Workspace app for Android version 24.7.0 or later.
  • A valid App Protection license

Configuration

You can configure the Anti-screen capture feature for the following:

Using Global App Configuration service

You can configure the Anti-screen capture feature for the authentication screen using:

  • Using UI
  • Using API

Using UI:

Citrix Workspace app allows you to configure App Protection for authentication screens using Global App Configuration service (GACS).

If you enable the anti-screen capturing functionality using the GACS, they’re applicable to the authentication screen.

Administrators can configure App Protection using the Workspace Configuration UI:

  1. Sign in to your Citrix Cloud account and select Workspace Configuration.

    Workspace configurations

  2. Select App Configuration > Security and Authentication > App Protection.

    Security and Authentication

  3. Click Anti Screen Capture and then select the Android Operating System.

  4. Click the Enabled toggle button and then click Publish Drafts.

  5. In the Publish Settings dialog box, click Yes.

    Publish settings

Using API:

The administrators can use the API to configure the App Protection feature. The setting to enable or disable anti-screen capturing for Citrix Workspace app for Android:

“name”: “enable anti screen capture for auth ” “value”: “true” or “false”
<!--NeedCopy-->

Example: Following is a sample JSON file to enable anti-screen capture feature for Citrix Workspace app in GACS:

{
          "category": "App Protection",
          "userOverride": false,
          "assignedTo": [
            "AllUsersNoAuthentication"
          ],
          "settings": [{
            "name": "Enable Anti Screen Capture For Auth",
            "value": "true"
          },
         ]
        }

<!--NeedCopy-->

Using Unified Endpoint Management solutions

Starting with the 24.7.0 version of Citrix Workspace app for Android, administrators can enable the App Protection feature for the authentication screen. Administrators can configure this feature using an AppConfig-based key-value pair.

  • For enabling anti-screen capture:

    • Key: enableAntiScreenCaptureForAuth
    • value type: Boolean
    • value:
      • If set to true, the anti-screen capture feature is enabled.
      • If set to false, the anti-screen capture feature is disabled.

Recommendation

App Protection policies are primarily focused on enhancing the security and protection of an endpoint. Review all other security recommendations and policies for your environment. You can use a Security and Control policy template for a recommended configuration in environments with low tolerance to risk. For more information, see Policy templates.

Configure App Protection