Configure 编辑

When using the Citrix Workspace app for Windows, the following configurations allow you to access their hosted applications and desktops.

Administrator tasks and considerations

This article discusses the tasks and considerations that are relevant for administrators of Citrix Workspace app for Windows.

Feature flag management

If an issue occurs with Citrix Workspace app in production, we can disable an affected feature dynamically in Citrix Workspace app even after the feature is shipped.

To do so, we use feature flags and a third-party service called LaunchDarkly. You do not need to make any configurations to enable traffic to LaunchDarkly, except when you have a firewall or proxy blocking outbound traffic. In that case, you enable traffic to LaunchDarkly via specific URLs or IP addresses, depending on your policy requirements.

You can enable traffic and communication to LaunchDarkly in the following ways:

Enable traffic to the following URLs

• events.launchdarkly.com
• stream.launchdarkly.com
• clientstream.launchdarkly.com
• Firehose.launchdarkly.com
• mobile.launchdarkly.com

List IP addresses in an allow list

If you must list IP addresses in an allow list, for a list of all current IP address ranges, see LaunchDarkly public IP list. You can use this list to know that your firewall configurations are updated automatically in keeping with the infrastructure updates. For details about the status of the infrastructure changes, see the LaunchDarkly Status page.

LaunchDarkly system requirements

Verify if the apps can communicate with the following services if you have split tunneling on the Citrix ADC set to OFF for the following services:

• LaunchDarkly service.
• APNs listener service

Disabling LaunchDarkly service

You can disable the LaunchDarkly service by using a Group Policy Object (GPO) policy.

1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace > Compliance.
3. Select Disable sending data to 3rd party policy and set it to Enabled.
4. Click Apply and OK.

Group Policy Object administrative template

We recommend that you use the Group Policy Object administrative template to configure rules for:

• Network routing
• Proxy servers
• Trusted server configuration
• User routing
• Remote user devices
• User experience.

You can use the receiver.admx / receiver.adml template files with domain policies and local computer policies. For domain policies, import the template file using the Group Policy Management console. Importing is useful when applying Citrix Workspace app settings to several different user devices throughout the enterprise. To modify on a single user device, import the template file using the local Group Policy Editor on the device.

Citrix recommends using the Windows Group Policy Object (GPO) administrative template to configure Citrix Workspace app.

The installation directory includes CitrixBase.admx and CitrixBase.adml, and, administrative template files (receiver.adml or receiver.admx`receiver.adml`).

Note:

The .admx and .adml files are for use with Windows version mentioned in the Compatibility matrix.

If Citrix Workspace app is installed with VDA, the ADMX/ADML files are typically found in the \<installation directory>\Online Plugin\Configuration directory.

If Citrix Workspace app is installed without the VDA, the ADMX/ADML files are typically found in the C:\Program Files\Citrix\ICA Client\Configuration directory.

See the following table for information about Citrix Workspace app template files and their respective locations.

Note:

Citrix recommends that you use the GPO template files provided with latest version of Citrix Workspace app.

Note:

• If the CitrixBase.admx\adml isn’t added to the local GPO, the Enable ICA File Signing policy might be lost.
• When upgrading Citrix Workspace app, add the latest template files to local GPO. Earlier settings are retained after import. For more information, see the following procedure:

To add the receiver.admx/adml template files to the local GPO:

You can use .adm template files to configure both the Local and the domain-based GPO. Refer to the Microsoft MSDN article about managing ADMX files here.

After installing Citrix Workspace app, copy the following template files:

Note:

Add the CitrixBase.admx/CitrixBase.adml to the \PolicyDefinitions folder to view the template files in Administrative Templates > Citrix Components > Citrix Workspace.

App Protection

Disclaimer

App Protection policies filter the access to required functions of the underlying operating system (specific API calls required to capture screens or keyboard presses). App Protection policies provide protection even against custom and purpose-built hacker tools. However, as operating systems evolve, new ways of capturing screens and logging keys might emerge. While we continue to identify and address them, we cannot guarantee full protection in specific configurations and deployments.

App Protection is an add-on feature that provides enhanced security when using Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). The feature restricts the ability of clients to compromise with keylogging and screen capturing malware. App Protection prevents exfiltration of confidential information such as user credentials and sensitive information on the screen. The feature prevents users and attackers from taking screenshots and from using keyloggers to glean and exploit sensitive information.

App Protection requires that you install an add-on license on your License Server. A Citrix Virtual Desktops license must also be present. For information on Licensing, see the Configure section in the Citrix Virtual Apps and Desktops documentation.

Requirements:

• Citrix Virtual Apps and Desktops Version 1912 or later.
• StoreFront version 1912 or Workspace.
• Citrix Workspace app Version 1912 or later.

Prerequisites:

• The App Protection feature must be enabled on the Controller. For more information, see App Protection in Citrix Virtual Apps and Desktops documentation.

You can include the App Protection component with Citrix Workspace app either:

• During Citrix Workspace app installation using the command-line interface or the GUI OR
• During an app launch (on-demand installation).

Note:

• This feature is supported only on desktop operating systems such as Windows 10, Windows 8.1.
• Starting with Version 2006.1, Citrix Workspace app isn’t supported on Windows 7. So, app protection doesn’t work on Windows 7. For more information, see Deprecation.
• This feature isn’t supported over Remote Desktop Protocol (RDP).

On-premises HDX session protection:

Two policies provide anti-keylogging and anti-screen-capturing functionality in a session. These policies must be configured through PowerShell. No GUI is available for the purpose.

Note:

Starting with Version 2103, Citrix DaaS supports App Protection with StoreFront and Workspace.

For information on App Protection configuration on Citrix Virtual Apps and Desktops and Citrix DaaS, see App protection.

App Protection - Configuration in Citrix Workspace app

Note:

• Include the App Protection component with Citrix Workspace app only if your administrator has instructed you to do so.
• Adding the App Protection component might impact the screen-capturing capabilities on your device.

During the Citrix Workspace app installation, you can include App Protection using one of the following methods:

• GUI
• Command-line interface

GUI

During the Citrix Workspace app installation, use the following dialog to include the App Protection component. Select Enable app protection and then click Install to continue with the installation.

Note:

Not enabling App Protection during installation causes a prompt to appear when you launch a protected app. Follow the prompt to install the App Protection component.

Command-line interface

Use the command-line switch /includeappprotection during Citrix Workspace app installation to add the App Protection component.

The following table provides information on screens protected depending on deployment:

When you’re taking a screenshot, only the protected window is blacked out. You can take a screenshot of the area outside the protected window. However, if you’re using the PrtScr key to capture a screenshot on a Windows 10 device, you must minimize the protected window.

Expected Behavior:

The expected behavior depends upon the method by which users access the StoreFront that has the protected resources.

Note:

• Citrix recommends that you only use the native Citrix Workspace app to launch a protected session.

• Behavior on the workspace for web:

  The App Protection component isn’t supported on the workspace for web configurations. Applications that are protected by App Protection policies aren’t enumerated. For more information about the resources assigned, contact your system administrator.

• Behavior on Citrix Workspace app versions that do not support App Protection:

  On Citrix Workspace app Version 1911 and earlier, applications that are protected by App Protection policies aren’t enumerated on StoreFront.

• Behavior of apps that have the App Protection feature configured on the Controller:

  On an App Protection configured-Controller, if you try to launch an application that is protected, the App Protection is installed on-demand. The following dialog appears:

  

  Click Yes to install the App Protection component. You can then launch the protected app.

• Behavior of protected session in case of Remote Desktop Protocol(RDP)

  • Your active protected session disconnects, if you launch a Remote Desktop Protocol(RDP) session.
  • You can’t launch a protected session in a Remote Desktop Protocol(RDP) session.

Enhancement to App Protection configuration

Previously, the authentication manager and the Self-Service plug-in dialogs were protected by default.

Starting with Version 2012, you can configure the anti-keylogging and anti-screen-capturing functionalities separately for both the authentication manager and Self-Service plug-in interfaces. You can configure the functionalities by using a Group Policy Object (GPO) policy.

Note:

This GPO policy isn’t applicable for ICA and SaaS sessions. The ICA and SaaS sessions continue to be controlled using the Delivery Controller and Citrix Secure Private Access.

Configuring App Protection for the Self-Service plug-in interface:

1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace.
3. To configure anti-keylogging and anti-screen-capturing for the Self-Service plug-in dialog, select Self Service > Manage App Protection policy.
4. Select one or both the following options:
   • Anti-key logging: Prevents keyloggers from capturing keystrokes.
   • Anti-screen-capturing: Prevents users from taking screenshots and sharing their screen.
5. Click Apply and OK.

Configuring App Protection for authentication manager:

1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace.
3. To configure anti-keylogging and anti-screen-capturing for the authentication manager, select User authentication > Manage app protection policy.
4. Select one or both the following options:
   • Anti-key logging: Prevents keyloggers from capturing keystrokes.
   • Anti-screen-capturing: Prevents users from taking screenshots and sharing their screen.
5. Click Apply and OK.

App Protection error logs:

Starting with Version 2103, the App Protection logs are collected as part of Citrix Workspace app logs. For more information about log collection, see Log collection.

You do not need to install or use a third-party app to collect the App Protection logs specifically. However, DebugView can still be continued to be used for log collection.

The App Protection logs are registered to the debug output. To collect these logs, do the following:

1. Download and install the DebugView app from the Microsoft website.

2. Launch the command prompt and run the following command:

   Dbgview.exe /t /k /v /l C:\logs.txt

   From the example above, you can view the logs in log.txt file.

The command indicates the following:

• /t – The DebugView app starts minimized in the notification area.
• /k – Enable kernel capture.
• /v – Enable verbose kernel capture.
• /l – Log the output to a specific file.

Uninstalling the App Protection component:

To uninstall the App Protection component, you must uninstall Citrix Workspace app from your system. Restart the system for the changes to take effect.

Note:

App Protection is supported only on upgrade from Version 1912 onwards.

Known issues or limitations:

• This feature isn’t supported on Microsoft Server operating systems such as Windows Server 2012 R2 and Windows Server 2016.
• This feature isn’t supported in double-hop scenarios.
• For this feature to function properly, disable the Client clipboard redirection policy on the VDA.

Application Categories

Application Categories allow users to manage collections of applications in Citrix Workspace app. You can create application groups for applications shared across different delivery groups or used by a subset of users within delivery groups.

For more information, see Create application groups in the Citrix Virtual Apps and Desktops documentation.

Improved ICA file security

This feature provides enhanced security while handling ICA files during a virtual apps and desktops session launch.

Citrix Workspace app lets you store the ICA file in the system memory instead of the local disk when you launch a virtual apps and desktops session.

This feature aims to eliminate surface attacks and any malware that might misuse the ICA file when stored locally. This feature is also applicable on virtual apps and desktops sessions that are launched on workspace for Web

Configuration

ICA file security is also supported when Citrix Workspace or StoreFront is accessed through the web. Client detection is a prerequisite for the feature to work if it’s accessed through the web. If you’re accessing StoreFront using a browser, enable the following attributes in the web.config file on StoreFront deployments:

When you sign in to the store through the browser, click Detect Workspace App. If the prompt doesn’t appear, clear the browser cookies and try again.

If it’s a Workspace deployment, you can find the client detection settings by navigating to Accounts settings > Advanced > Apps and Desktops Launch Preference.

You can take extra measures so that sessions are launched only using the ICA file stored on system memory. Use any of the following methods:

• Group Policy Object (GPO) Administrative template on the client.
• Global App Config Service.
• Workspace for web.

Using the GPO:

To block session launches from ICA files that are stored on the local disk, do the following:

1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace > Client Engine.
3. Select the Secure ICA file session launch policy and set it to Enabled.
4. Click Apply and OK.

Using the Global App Config Service:

You can use Global App Config Service from Citrix Workspace app 2106.

To block session launches from ICA files that are stored on the local disk, do the following:

Set the Block Direct ICA File Launches attribute to True.

For more information about Global App Config Service, see Global App Config Service documentation.

Using workspace for web:

To disallow ICA file download on the local disk when using workspace for Web, do the following:

Run the PowerShell module. See Configure DisallowICADownload.

Note:

The DisallowICADownload policy isn’t available for StoreFront deployments.

Log collection

Log collection simplifies the process of collecting logs for Citrix Workspace app. The logs help Citrix to troubleshoot, and, in cases of complicated issues, provides support.

You can collect logs using the GUI.

Collecting logs:

1. Right-click the Citrix Workspace app icon in the notification area and select Advanced Preferences.

2. Select Log collection. The Log collection dialog appears.

   

3. Select one of the following log levels:
   • Low
   • Medium
   • Verbose

4. Click Start collecting logs to reproduce the issue and collect the latest logs.

   The log collection process starts.

   

5. Click Stop collecting logs after the issue is reproduced.
6. Click Save log to save the logs to a desired location.

HDX adaptive throughput

HDX adaptive throughput intelligently fine-tunes the peak throughput of the ICA session by adjusting output buffers. The number of output buffers is initially set at a high value. This high value allows data to be transmitted to the client more quickly and efficiently, especially in high latency networks.

Provides better interactivity, faster file transfers, smoother video playback, higher framerate, and resolution results in an enhanced user experience.

Session interactivity is constantly measured to determine whether any data streams within the ICA session are adversely affecting interactivity. If that occurs, the throughput is decreased to reduce the impact of the large data stream on the session and allow interactivity to recover.

This feature is supported only on Citrix Workspace app 1811 for Windows and later.

Important:

HDX adaptive throughput changes the output buffers by moving the mechanism from the client to the VDA. So, adjusting the number of output buffers on the client as described in CTX125027 has no effect.

Adaptive transport

Adaptive Transport is a mechanism in Citrix Virtual Apps and Desktops and Citrix DaaS that allows to use Enlightened Data Transport (EDT) as the transport protocol for ICA connections. For more information, see Adaptive transport section in the Citrix Virtual Apps and Desktops documentation.

Advanced Preferences sheet

You can customize Advanced Preferences sheet’s availability and contents present in the right-click menu of the Citrix Workspace app icon in the notification area. Doing so ensures that users can apply only administrator-specified settings on their systems. Specifically, you can:

• Hide the Advanced Preferences sheet altogether
• Hide the following, specific settings from the sheet:
  • Data collection
  • Connection Center
  • Configuration checker
  • Keyboard and Language bar
  • High DPI
  • Support information
  • Shortcuts and Reconnect
  • Citrix Files
  • Citrix Casting

Hiding Advanced Preferences option from the right-click menu

You can hide the Advanced Preferences sheet by using the Citrix Workspace app Group Policy Object (GPO) administrative template:

1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
2. Under the Computer Configuration node, go to Administrative Templates > Citrix Workspace > Self Service > Advanced Preferences Options.
3. Select the Disable Advance Preferences policy.
4. Select Enabled to hide the Advanced Preferences option from the right-click menu of the Citrix Workspace app icon in the notification area.

Note:

By default, the Not Configured option is selected.

Hiding specific settings from the Advanced Preferences sheet

You can hide specific user-configurable settings from the Advanced Preferences sheet by using the Citrix Workspace app Group Policy Object administrative template. To hide the settings:

1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
2. Under the Computer Configuration node, go to Administrative Templates > Citrix Workspace > Self Service > Advanced Preferences Options.
3. Select the policy for the setting you want to hide.

The following table lists the options that you can select and the effect of each:

You can hide the following specific settings from the Advanced Preferences sheet:

• Configuration checker
• Connection Center
• High DPI
• Data collection
• Delete saved passwords
• Keyboard and Language bar
• Shortcuts and Reconnect
• Support information
• Citrix Files
• Citrix Casting

Hiding the Reset Workspace option from the Advanced Preferences sheet using the Registry editor

You can hide the Reset Workspace option from the Advanced Preferences sheet only using the Registry editor.

1. Launch the registry editor.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Dazzle.
3. Create a String Value key EnableFactoryReset and set it to any of the following options:
   • True - Displays the Reset Workspace option in the Advanced Preferences sheet.
   • False - Hides the Reset Workspace option in the Advanced Preferences sheet.

Hiding Citrix Workspace Updates option from the Advanced Preferences sheet

Note:

The policy path for the Citrix Workspace Updates option is different from the other options present in the Advanced Preferences sheet.

1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > Citrix Workspace > Workspace Updates.
3. Select the Workspace Updates policy.
4. Select Disabled to hide the Workspace Updates settings from the Advanced Preferences sheet.

StoreFront to Workspace URL Migration

This feature is in Technical Preview. StoreFront to Workspace URL migration enables you to seamlessly migrate your end users from a StoreFront store to Workspace store with minimal user interaction.

Consider, all your end users have a StoreFront store storefront.com added to their Workspace app. As an administrator, you can configure a StoreFront URL to Workspace URL Mapping {‘storefront.com’:’xyz.cloud.com’} in the Global App Configuration Service. The Global App Config Service pushes the setting to all Citrix Workspace app instances, on both managed and unmanaged devices, that have the StoreFront URL storefront.com added.

Once the setting is detected, Citrix Workspace app adds the mapped Workspace URL xyz.cloud.com as another store. When the end user launches the Citrix Workspace app, the Citrix Workspace store opens. The previously added StoreFront store storefront.com remains added to the Workspace app. Users can always switch back to the StoreFront store storefront.com using the Switch Accounts option in the Workspace app. Admins can control the removal of the StoreFront store storefront.com from the Workspace app at the users’ end points. The removal can be done through the global app config service.

To enable the feature, do the following steps:

1. Configure StoreFront to Workspace mapping using the Global App Config Service. For more information on Global App config service, see Global App Configuration Service.

2. Edit the payload in the app config service:

   
   {
    "serviceURL": {
   "url": "https://storefront.acme.com:443",
   "migrationUrl": [
     {
       "url": "https://sampleworkspace.cloud.com:443",
       "storeFrontValidUntil": "2023-05-01"
     }
    ]
   },
   "settings": {
   "name": "Productivity Apps",
   "description": "Provides access StoreFront to Workspace Migration",
   "useForAppConfig": true,
   "appSettings": {
     "windows": [
       {
         "category": "root",
         "userOverride": false,
         "assignmentPriority": 0,
         "assignedTo": [
           "AllUsersNoAuthentication"
        ],
         "settings": [
         {
          "name": "Hide advanced preferences",
           "value": false
         }
        ]
       }
      ]
     }
    }
   }
   
   <!--NeedCopy-->