by Ray Davis, CTA
I recently worked with a client requesting extra features be set up within the Citrix Workspace app. The environment had a good security team and asked the following:
- Remove all ICA files being stored after launch use.
- Make the ICA file stored in memory so that if the ICA files were not removed, there was no location it would be downloaded to. The mindset around this is: “To reduce the attack surface, ICA files from Citrix Workspace app for Windows will now be stored in memory.”
Let’s dive into each setting and go over how I approached this.
Delete the ICA file after being used:
- You will notice the typical setup in most environments I have seen.
- The user opens a URL, navigates to the area where their company Citrix hosting site is, inputs username/password/MFA, clicks the Citrix resource, an ICA file is downloaded, and then opens.
- Depending on the browser, in most cases, it’s going to be Chrome/Chromium Edge/Firefox.
- Afterwards, you will notice the session ICA files in downloads (in most cases).
- To address this, the first setting is to Enable “ICA File Settings” and then check the box to “RemoveICAFile.” I explained to the customer that inside the ICA file, there is an STA (Secure Ticket Authority) and the lifetime of this is 100 seconds. Therefore, it will not be good. But as we all know, it will contain some environmental data. With that in mind, it was a reasonable request. I also explained that the STA ticket could only be used once, although they still wanted this feature set. “Okay, we can do that,” I said.
- Below is the screenshot of the GPO that will be needed, as the client was all Windows-based clients.
- For example, if the GPO above is not enabled, you will notice ICA files in the downloads from my last session.
- The default for Citrix Workspace App is when I launch a Citrix Session. You will see it download to my downloads folder and start connecting to the Desktop once you close the resource. The ICA file persists. But if I set the GPO, as I explained above, you will see this behavior.
- I log into my URL, open my Citrix resource, and download an ICA file.
- I am now logged into the Desktop, and the current ICA file is still in the downloads while I am in my session.
- Once the ICA session has ended, the ICA file is deleted per the GPO. As you can see, you don’t see it anymore. It deleted the ICA file, which was the desired configuration I was after.
- Once the GPO applies, you will see it here on the local Client if you want to check if the keys are enforced and get peace of mind, which the security team wanted to see as well.
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Client Engine\ICA File
- REG_SZ = RemoveICAFile
- Value = True
Addressing the ICA File in Memory
- I needed to do some reading on this, as I recall it being announced. I read the blogs to get a better understanding of the flow: Enhanced ICA file security on Citrix Workspace app for Windows | Citrix Blogs
- I also remember a podcast on this with some great information from Andy and Bill at XenTegra. (These podcasts provide excellent value by investing in the technology not only from an informative aspect but also a technical aspect for folks like myself. E83 – The Citrix Session: Enhanced ICA file security on Citrix Workspace app for Windows – XenTegra – Citrix, Microsoft, EUC, & Cloud Solutions and Services
What I Discovered After Some Quick Education
- This applies to Workspace App (Native application) and Workspace for Web.
- After reading the documentation on this, natively it was only supported by the Workspace app. Then in time, Citrix released it for the Workspace Web side.
- On Citrix StoreFront, you will see inside the Web.config file an entry like this.
- On the Citrix StoreFront server, inetpub location is where you will see the Web.config file. C:\inetpub\wwwroot\Citrix\labWeb
- <protocolHandler enabled=”true” platforms=”(Macintosh|Windows NT|Linux|CrOS).*((Firefox/((5[2-9]|[0-9])|\d\d\d))|(Chrome/((4[2-9]|[0-9])|\d\d\d)))|Macintosh.*Version/(1[2-9]|[2-9][0-9]).*Safari/”
- This protocolHandler should be enabled by default on 2203.1000 as well.
- I also went and enabled “Secure ICA File Session launch.” This will block the ICA files from being opened by browsers that can’t use the ICA in memory. I have no ICA file downloaded either, because I set this Citrix Workspace GPO.
- It’s no longer required to add the registry EnableIcaFileInMemory and set the value to “True.”
- To check this after the Citrix Workspace GPO is applied:
- REG_DWORD = BlockDirectICAFileLaunches
- Value = 1
- At first, I couldn’t get this to work in Edge.
- I am trying it with Edge.
- Next, I am trying it with Chrome. As you can see, it did what it was supposed to.
- For the most part, Chrome and Edge have the same code, and I was not sure why it wasn’t working in Edge.
- I went back to the docs, and this jumped out at me: “When you sign in to the store through the browser, click Detect Workspace App. If the prompt doesn’t appear, clear the browser cookies and try again.”
- This part is what detects the workspace for the web when, from what I gather, it is what detects to apply the “protocolHandler enabled=”true” If it does not do this the first time, it will not be able to open the ICA file if you have the GPO set to “Secure ICA File Session launch.”
- I cleared all my cookies from Edge and got the “Detect Workspace App” to prompt me.
- As you can see, it opened my Citrix Desktop now from Edge.
- If the user gets this error:
- You will have to ask them to clear the cookies to allow it to work. It may happen more than it should as well. Also, this was from my lab and testing.
- If the users are using only the Native Citrix Workspace app without going to the URL, this should not be a problem. It works every time as well.
- What about BYOD devices? Citrix has a solution for those as well: Global App Configuration Service (cloud.com)
- Recent enhancement: Manage Citrix Workspace app for your users with just one click | Citrix Blogs
- At this time, it is in Tech Preview, but it will be a game changer, in my humble opinion. Customize Citrix Workspace app settings [Technical Preview]
With these settings in place, I could achieve the desired configuration. I hope everyone had a wonderful holiday in 2022 and a safe and happy new year!