Introduction
In 2021 Citrix introduced the App Protection to Virtual Apps and Desktops. This feature can protect your Citrix resources from unwanted keylogging and screensharing to make sure all your (confidential) data remains secure, even from endpoints that are not managed by your IT department. I was recently tasked to set this up at a customer. While there is a decent amount of documentation available, it’s all over the place. So I wanted to do a blogpost that combines all the relevant steps that need to be performed to get it to work.
Delivery Controller
NOTE: For all PowerShell commands in this blogpost, I am making the assumption that you are running these on your Delivery Controller. If not: make sure the Citrix PowerShell cmdlets are installed (these come along with the Citrix Studio installation) and add the ‘-AdminAddress’ parameter to the command.
First you need to make sure your Citrix Virtual Apps and Desktops environment supports the new App Protection features. If you are running version 2303 (the first version with Citrix Web Studio) or later, then you are good to go. For older versions: Even though you can see the options when looking up a Delivery Group in PowerShell it does not mean your environment is already setup correctly to enable it.
Get-BrokerDesktopGroup -Name DG-SBC | Select-Object -Property Name,AppProtectionKeyLoggingRequired,AppProtectionScreenCaptureRequired | Format-List Name : DG-SBC AppProtectionKeyLoggingRequired : False AppProtectionScreenCaptureRequired : False
When you try to enable it on a single delivery group you might get an error:
Set-BrokerDesktopGroup -Name DG-SBC -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true Set-BrokerDesktopGroup : A required feature is disabled by the system configuration At line:1 char:1 + Set-BrokerDesktopGroup -Name DG-SBC -AppProtectionKeyLoggingRequired ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (:) [Set-BrokerDesktopGroup], SdkOperationException + FullyQualifiedErrorId : Citrix.XDPowerShell.Broker.FeatureNotEnabled,Citrix.Broker.Admin.SDK.SetBrokerDesktopGro upCommand
In that case you need to download the Contextual App Protection policies (feature table XML file) from Citrix and import it on one of your delivery controllers. You can find these on the Citrix downloads page. Just search for Contextual or look it up under the components section of the Citrix Virtual Apps and Desktops version you are running (Citrix documentation about this).
You can import the feature table with the following command:
Import-ConfigFeatureTable -Path <path to the downloaded feature table>
With this done you need to enable the TrustRequestsSentToTheXmlServicePort setting (which might already be enabled on your Citrix VAD site). Check this with:
Get-BrokerSite
You can enable the setting with the following command:
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
With this done, your Citrix VAD site should be ready for enabling the App Protection features for each Delivery Group.
StoreFront
Now we move on to Citrix StoreFront. If you are running Citrix StoreFront 2308 or newer you don’t need to do anything. For anything older than version 2308 you need to run a StoreFront customization script (Citrix documentation about this.).
You can download this customization script from the Citrix downloads page under Citrix Workspace App and SDKs, Scripts and Sources (StoreFront Customization for Hybrid Launch Support with App Protection).
Unpack it to the primary server in your StoreFront server group and run the deploy-solution.ps1 script in an elevated PowerShell instance. The script will ask you to specify an action and the name of the StoreFront store that should be customized. Type Deploy as the action and your store name to perform the customization.
It will copy some DLL-files, scripts and it will edit the web.config file.
On newer Windows Server versions the IIS service name is W3SVC instead of IISADMIN. This causes the error you see in the screenshot. Just manually restart the W3SVC service or run iisreset.
The script also has the option to perform the ApplyUICustomization action. This will remove the Already installed option from the StoreFront webpage to force the user to run the Workspace Launcher plugin (more on this later).
Enable, test and achieve success
Your Citrix site should now be ready to support App Protection. You can setup various access policies to enable it for certain users/connections but my advice would be to just enable it for a single Delivery Group to test if it works.
If you are using the regular Citrix Studio you would need to enable it through PowerShell:
Set-BrokerDesktopGroup -Name -AppProtectionKeyLoggingRequired $true -AppProtectionScreenCaptureRequired $true
If you are (already) using Citrix Web Studio it is a bit easier. Just edit the Delivery Group and enable the features in the App Protection section.
Now to test it. One thing that is important if you access your site through the StoreFront webpage or NetScaler Gateway webpage is that the Workspace Launcher browser plugin is used. When first logging in you usually get the option to ‘Detect Citrix Workspace app’.
When you press this you should get a popup that the website is trying to open Citrix Workspace Launcher. This must be done to allow the website to determine if the installed Workspace App version is compliant and has the App Protection feature installed.
If the version is not compliant or the App Protection feature was not included in the installation it should not show the resources of the Delivery Groups with App Protection enabled.
Here is where the ApplyUICustomization action that I mentioned earlier come into play. When you press Already Installed during the detection phase, you are able to skip the Citrix Workspace Launcher. This will also skip the detection of the installed Workspace App and would also cause the resources to not be shown.
So while it is not required to apply the customization, I still would recommend to implement it with the goal of reducing related helpdesk tickets.
In regards to the Citrix Workspace App:
Citrix Workspace App version 2212 or newer installs the App Protection feature by default and it only gives you the option to start it (the Windows service that is) after installation. I don’t really see the point of this since it will still start the App Protection Windows service when you launch a published application or desktop. To use this option during silent/command-line installation use the parameter: /startappprotection
During the installation of older Citrix Workspace App versions you get the option to install the feature or skip it completely. If you are performing a command-line installation, use the parameter /includeappprotection to include it.
You should now be able to test it. Start one of the resources of the Delivery Group on which App Protection is enabled and try to create a screenshot from your local device (use Snipping Tool for example). This should show a notification and black out the running Citrix resource and only show the local desktop (if the resource is not running full screen).
You should get a similar notification if you install a keylogger on your device.
Other features
Anti-keylogging and anti-screencapture are the main features of Citrix App Protection, but there are more features although some of these focus more on the local Workspace App rather than the Citrix resources.
The following features are included:
– Anti-DLL injection
Block any unauthorized DLL-files or untrusted modules.
– Policy tampering detection
Disconnects Citrix resources if it detects tampering in the keylogging and screen capture App Protection policies.
– Posture check
Will only allow the user/client access if the used Workspace App version supports the defined App Protection features.
– App Protection support for double-hop scenarios (CWA 2405+)
Use anti-keylogging and anti-screen capture for session in session (only supported if the client OS is Windows 10 or 11 and first hop runs single-session VDA).
– Block double-hop launch
Prevent access to App Protection-enabled Citrix resources in a double-hop setting.
– Citrix Analytics Service for App Protection
Logging of screen capture attempts (includes device ID and tool used)
– Screen capture allow list
Exclude certain apps from the anti-screen capture feature
– Local App Protection (in preview)
Instead of just the Citrix resources, it is also possible to block local keyloggers and screen capture tools.
Enable for specific IP subnet
At the customer in question there was a requirement to only enable the anti-keylogging and anti-screencapture when accessing the Citrix site from a specific subnet. You can accomplish this through PowerShell. In Citrix VAD version 2407 or newer you also have the option to use Smart Access (the option ‘apply contextually’ is available in Citrix Web Studio), but smart access is a (or multiple) blog post on its own, so I will not go into that.
With the following command you can list the access policies per Delivery Group:
Get-BrokerAccessPolicyRule -DesktopGroupName
Usually this gives two results, one for connections through a Gateway and the other for direct connections. The screenshot below shows one of these policy rules.
To accomplish this for a certain IP subnet you will need to create a new access policy rule in which you enable the App Protection features and specify the subnet in question.
New-BrokerAccessPolicyRule -Name ` -Description ` -AppProtectionKeyLoggingRequired $True ` -AppProtectionScreenCaptureRequired $True ` -IncludedClientIPFilterEnabled $True ` -IncludedClientIPs “192.168.1.0/24” ` -DesktopGroupUid “1” ` -AllowedRestart ` -AllowedConnections “ViaAG or NotViaAG” ` -AllowedProtocols
NOTE: Listing each parameter below each other and ending each line with an escape character is not required. I just used it in the snippet above to make it easier to read and understand.
This is just an example of course. There are more options possible for most of the mentioned parameters.
AllowedConnections for example has the following options:
Filtered
Connections not through a Gateway and include Smart Access tags (if any)
NotViaAG
Connections not through a Gateway and ignore Smart Access tags
ViaAG
Connections through a Gateway and include Smart Access tags (if any)
AnyViaAG
Connections through a Gateway and ignore Smart Access tags
You can also edit an existing rule by using Set-BrokerAccessPolicyRule and referring to the name of the policy rule you want to edit. You could for example enable the App Protection features when connecting through a NetScaler Gateway and leave them disabled when connecting directly. Although from a security standpoint I would always recommend connecting through a Gateway and never allow users direct access to your session hosts.
The trouble when creating these access policy rules through PowerShell is that Citrix Studio cannot display these settings. As a result, if you add a rule like the one showed above and open the Delivery Group, you will get messages like these:
Wrap up
That is about it for setting up App Protection. The most important takeaways from this are (in my opinion):
– Make sure your users run the Workspace Launcher when accessing StoreFront/Gateway through a browser and remove the Already Installed button with the ApplyUICustomization action in the Deploy-Solution.ps1 script.
– Upgrade to a version of Citrix Virtual Apps and Desktops that includes the Citrix Web Studio (2303 or later) to make enabling App Protection a lot easier.
– Make sure your users run a version of Workspace App that has the App Protection feature (CWA 1912 or newer when using Windows, CWA 2001 or newer when using iOS) and that it is enabled during installation (CWA 2212 or newer has it enabled by default).
If you have any remarks or if I said/typed something wrong in this blog, don’t hesitate to leave a comment and call me out on it.
Update 14-04-2025 – Licensing
After posting this article I remembered that Citrix App Protection requires a separate Citrix license in your licensing server. Before you feel fear creeping up about convincing management to spend even more money on Citrix licenses, do not be concerned since these should be included in the Citrix Virtual Desktop license. It’s just a separate license set that you need to allocate and import into your licensing server.
