How to Configure Default Device Access Behavior of Workspace app for Windows

Description

This article is intended for Citrix administrators and technical teams only.
Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.

Citrix Virtual Apps and Desktops, formerly XenDesktop, fits the enterprise need to bring both VDI and apps into a user-centric experience.

Citrix Virtual Apps, formerly XenApp, fits the enterprise need to bring legacy apps into a cloud management environment.This article describes how to configure the default device access behavior of Receiver, XenDesktop and XenApp.

Background

Administrators can configure the default behavior for device access when connecting to a Citrix Virtual Apps and Desktops environment. By default, the Desktop Viewer client device restrictions are based on the Internet region and this behavior can be changed by creating the Client Selective Trust feature registry keys under the HKey_Local_Machine hive in the registry and by modifying the required values.
With the default value, one of the following dialog boxes appear when accessing local files, webcams, or microphones:

HDX File Access

HDX Microphone and Webcam

Instructions

To configure default device access behavior of Citrix Workspace App, complete the following steps:
Note: In the ADM template there is the 'Create Client Service Trust Key' value, which can be used to automatically create all the required registry keys otherwise import registry keys first and make changes in registry values as explained and then apply ADM files and perform changes for ADM files. If you have applied ADM files first and then registry changes, there could be a possibility of continued unresolved issues.

Using ADM files ONLY and not importing registry hive or making changes to registry values will not resolve the issue. Both steps are required and should be applied in the correct order:
Step 1. Registry Hive,
Step 2. ADM File.
It is also applicable for Citrix Receiver 4.x.

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

Download the appropriate registry settings file that is attached to this article and import to a client device.
Note: The attachment contains the file for a 32-bit and a 64-bit operating system.
Note: If you have a 64-bit operating system, you should use the x86 registry file and policies. Support working with necessary teams to get naming of files clarified.

Open one of the following registry keys on the computer
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Client Selective Trust (for 32 bit OS)
Or
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Client Selective Trust. (for 64 Bit OS)

Note: The key "HKEY_CURRENT_USER\SOFTWARE\Citrix\ICA Client\Client Selective Trust" has higher priority than "HKLM\SOFTWARE\Citrix\ICA Client\Client Selective Trust". This Key will be created every time a user makes changes in the preferences of Receiver. As this key has priority, it needs to be deleted at every reboot.
In the appropriate region(s), change the default value of any of the following resources according to the list of Access Values:

Resource Key	Resource Description
FileSecurityPermission	Client Drives
MicrophoneAndWebcamSecurityPermission	Microphones and Webcams
ScannerAndDigitalCameraSecurityPermission	USB and Other Devices

Access Values:

0 = No Access
1 = Read Only Access
2 = Full Access
3 = Prompt User for Access

Export the Client Selective Trust key to a new .reg file.
Import the modified .reg file on each client device.
This process can be automated by using a log on script.

Note: Included in the ZIP archive are the Group Policy ADM files specifically for x86 or x64 operating systems which create the required registry keys on the client machine and add the ability to modify the values as explained in the preceding section. If an Organizational Unit (OU) or group of computers contains multiple architectures, ensure to use a method such as Windows Management Instrumentation (WMI) filtering to apply the appropriate settings.

For clients supporting adml/admx format templates follow: https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/bb530196(v=msdn.10)?redirectedfrom=MSDN

Steps-
a) Download template.zip from - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX133565
b) Opened gpedit to import the template
Computer configuration -> Right click on "Administrative template" -> Add/Remove templates -> Added "ClientSelectiveTrustX86Full.adm"

Configure below polices -
1. Computer configuration-> Administrative templates -> Client Administrative templates -> Citrix Client selective trust - Enabled "Create Client Selective Trust keys"
2. Computer configuration-> Administrative templates -> Client Administrative templates -> Trusted sites region -> IcaAuthorizationDecision -> Enabled "FileSecurityPermission" to "Read Only" Or anything you want.
3. Computer configuration-> Administrative templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Enable "Site to Zone Assignment list" and added url as -
https://StorefrontURL/

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Issue/Introduction

This article describes how to configure default device access behavior of Citrix Workspace App, Citrix Virtual Apps and Desktops.

Additional Information

Citrix Documentation - https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/group-policy.html
Citrix Workspace App - https://www.citrix.com/downloads/workspace-app/windows/workspace-app-for-windows-latest.html

Attachments

Templates.zip get_app

Welcome to "KB Articles"