Citrix Workspace App device access behavior

Some documentation isn’t updated as fast as some would like. Citrix has a couple of sites that outline how to configure default device access behavior in Workspace for Windows. But as with any documentation, things change around technology, user needs, and security.

I recently faced a challenge: Users wanted this prompt to go away, and only WebCams needed to be blocked.

Now, I understand the user can click the option and say “don’t remind me again.” But our job in these roles is to make things transparent for our end users and clients to promote a good Citrix environment. I understand this sounds small, but in a high-security environment, it should be something that any Citrix person thinks about in the back of their mind. In my humble opinion, without proper configuration, it will give any product a sour taste to a user or client. Citrix Products (or really any products) take some heat from users at times. Citrix offers many configurations in its line of products. It’s up to you as a System Admin or Consultant to do what you can to deliver a good experience.

1. Navigate to the Citrix Article and download the ADMX files:
   • https://support.citrix.com/article/CTX133565
2. Log in with your Citrix account and download

The files will look like this:

3. Drop these files in your \\domain.local\SYSVOL\lab.local\Policies\PolicyDefinitions
4. Open up the Group Policy Management console and expand Citrix components. You will see the following:

5. In my case, I disabled the 64bit settings, but you don’t need to unless you are using it.
6. I proceeded with disabling the Settings in the “Client selective Trust x64.” The following screenshot shows the settings I disabled.

7. In this situation, I defined the settings in “Citrix Client Selective Trust x86).”
8. Enable the “Create Client Selective Trust Keys”

9. For this specific setup, I was working on something for a client. They wanted things blocked, and the popups stopped.
10. I went through these locations and selected:
    • Enable
    • 0: No access
      • specifying 0 for no access for all categories
      • File Security
      • MicrophoneAndWebcamSecurityPermission
      • PdaSecurityPermission
      • ScannerAndDigitalCameraSecurityPermission)
    • Also, do this in all zones:
      • oidInternetRegionIcaAuthorizationDecision,
      • oidIntranetRegionIcaAuthorizationDecision,
      • oidRestrictedSitesRegionIcaAuthorizationDecision,
      • oidTrustedSitesRegionIcaAuthorizationDecision

11. The last setting you will need, if not already completed, is to add the URLS into the Trusted Zone.
12. Computer configuration-> Administrative templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Enable “Site to Zone Assignment list” and add your company URL and put a number 2 in it.

Example:

13. You can check the key as well by browsing here:
    1. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

14. Now with those settings in place above, when a user opens a Citrix Desktop, you will notice that the Desktop viewer preferences are now set for the user.

15. The settings will stop it from asking you. As you can see, they are set to “Do not connect me” The users can also change them if needed.

16. At this point, the popups are gone. But the user still has control to change them if needed. If you wanted to prevent users from changing them for security purposes, you need to edit the registry location(on the client devices):
    • Here:
      Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidPredefinedSecurityPolicySettings\InstantiatedSecurityPolicyEditable
    • Registry REG_SZ key is (Default)
    • Value is True by default. True means the users can change the settings.

17. False means they cannot change them.

18. You don’t need the user to log out. It will update once the client gets the updated reg key location. But for safety measures, I would. You can also wait until the next business day or when new sessions start. It’s your option, ideally.
19. You can toggle them on or off in GPO with a computer login script on the client’s or any option you may use in your enterprise environment.
    • Set-ItemProperty -Path “HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidPredefinedSecurityPolicySettings\InstantiatedSecurityPolicyEditable” -Name ‘(Default)’ -Value False
    • Set-ItemProperty -Path “HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidPredefinedSecurityPolicySettings\InstantiatedSecurityPolicyEditable” -Name ‘(Default)’ -Value True
20. I am opening my desktop and will trigger something that will want to use my Webcams/Mic and Local drives.
21. It’s now greyed out as well.

22. No file security pop up.

23. Drive is not allowed to be accessed.

24. Let’s do a test with Zoom to see if it will trigger the Default Device Access behavior. No popup. In this case, the Zoom VDI plugin picked up the HDX Optimized channels and natively allowed the Mic.

25. No USB options, as it’s using the HDX optimized channel.

26. To take it a step further, you can implement a Citrix Studio Policy to restrict some of this. Blocking the client’s drives will never allow them to show up in the session.

27. I had a request to Allow Mics only while blocking webcams. I must admit, this one was a challenging task.
28. So I went back to the “Citrix Client selective trustx86” section and updated these keys:

31. I logged into my VDA.
32. Mic came in with no Device Behavior popup.
33. The camera came in with no device popup.
34. 1 out of 2 things is working. We know the CAM/MIC would come through. But I wanted to ensure no popup. Now I must figure out how to block the Web Cams for all.

33. So I went into Citrix studio and found a Multimedia Conference Policy. I set it to Prohibited.

34. Results are…. No video.

35. Let’s undo the Policy to ensure it will work again. This helps me confirm as well that what I did is working after all.
36. After setting it to allow, the camera came back.

37. I achieved the desired configuration by:
    • Setting the Client device keys to full access. Its’ Number 2:FullAccess in the GPO
    • Disabling unusable configuration
    • Disabling Multimedia Conference Policy, which seemed to do the trick here for the cameras

Hopefully, this will help someone, and as always, if you know something better. Please share 

After all, Sharing is caring in my books.

References used

• How to Prevent Users from Changing Client Device Access Settings for 12.x Plug-in and later versions of Receiver for Windows Using Client Selective Trust (citrix.com)

• How to Configure Default Device Access Behavior of Workspace app for Windows (citrix.com)