Scenario 1
This scenario covers how to disable App Protection for certain device types.
The following are the steps to disable App Protection for iPhone users on a delivery group called Win10Desktop
:
-
Create a Smart Access policy:
- Sign in to the Citrix ADC Administration UI.
-
On the left navigation menu, go to Citrix Gateway > Virtual Servers.
Note the VPN Virtual Server name, which is needed to configure the Broker Access Policy later on.
- Click VPN Virtual Server. Scroll to the bottom of the page and click Session policies. A list of session policies appears.
-
Click Add Binding.
-
Click Add to create a session policy.
-
Enter a name for the session policy. In this scenario, it is temp.
-
Click Add next to Profile to specify a Profile name. Click Create.
- Click Expression Editor from the Session policy window.
-
Create the following expression to check for iPhone in the User Agent string:
HTTP.REQ.HEADER("User-Agent").CONTAINS("iPhone") <!--NeedCopy-->
- Click Bind to create the session policy.
-
Create Broker access policy rules:
To apply the policy for iPhone users accessing
Win10Desktop
through the access gateway, do the following steps:-
Run the following command in the Delivery controller (DDC):
Get-BrokerAccessPolicyRule <!--NeedCopy-->
which lists all the Broker Access policies defined in the DDC. In this scenario, the Broker Access policies for the delivery group
Win10Desktop
areWin10Desktop_AG
andWin10Desktop_Direct
. Note the desktop group UID of the delivery group for the next step. -
Create a broker access policy rule for
Win10Desktop
to filter iPhone users coming through the access gateway using the following command:New-BrokerAccessPolicyRule -Name Win10Desktop_AG_iPhone -DesktopGroupUid <Uid_of_desktopGroup> -AllowedConnections ViaAG -AllowedProtocols HDX, RDP -AllowedUsers AnyAuthenticated -AllowRestart $true -AppProtectionKeyLoggingRequired $false -AppProtectionScreenCaptureRequired $false -Enabled $true -IncludedSmartAccessFilterEnabled $true <!--NeedCopy-->
Uid_of_desktopGroup is the DesktopGroupUID of the delivery group got by running the GetBrokerAccessPolicy Rule in step 1.
-
To disable App Protection for
Win10Desktop
iPhone users coming through the access gateway, reference the Smart Access tag temp created in Step 1. Create Smart Access policy using the following command:Set-BrokerAccessPolicyRule Win10Desktop_AG_iPhone -IncludedSmartAccessTags Primary_HDX_Proxy:temp -AppProtectionScreenCaptureRequired $false -AppProtectionKeyLoggingRequired $false <!--NeedCopy-->
Primary_HDX_Proxy is the VPN virtual server name from earlier in Step 1, Create Smart Access Policy.
-
To enable App Protection policies for the rest of the
Win10desktop
users, use the following command:Set-BrokerAccessPolicyRule Win10Desktop_AG -AppProtectionScreenCaptureRequired $true -AppProtectionKeyLoggingRequired $true <!--NeedCopy-->
-
-
Verification
For iPhone: Sign out of the Citrix Workspace app, if already open on the iPhone. Sign in to Citrix Workspace app externally through the access gateway connection. You can see the required resources in StoreFront and App Protection has to be disabled.
For devices other than the iPhone: Sign out of the Citrix Workspace app, if already open on the device. Sign in to Citrix Workspace app externally through an access gateway connection. You can see the required resources in the StoreFront and App Protection has to be disabled.