This article is intended for Citrix administrators and technical teams only.
Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.

Citrix Virtual Apps and Desktops, formerly XenDesktop, fits the enterprise need to bring both VDI and apps into a user-centric experience.

Citrix Virtual Apps, formerly XenApp, fits the enterprise need to bring legacy apps into a cloud management environment.This article describes how to configure the default device access behavior of Receiver, XenDesktop and XenApp.
 

Background

With the introduction of Receiver 3.x client, administrators can configure the default behavior for device access when connecting to a Citrix XenDesktop or XenApp environment. By default, the Desktop Viewer client device restrictions are based on the Internet region and this behavior can be changed by creating the Client Selective Trust feature registry keys under the HKey_Local_Machine hive in the registry and by modifying the required values.
With the default value, one of the following dialog boxes appear when accessing local files, webcams, or microphones:

• HDX File Access

• HDX Microphone and Webcam

Note: When setting Client Selective Trust on a Windows 7 Machine launching applications using Google Chrome via NetScaler Gateway Site, the application will never launch. Only Published Desktops will launch. 

Backend could contain any version of XenApp, Web Interface, or StoreFront. Currently being observed on Receiver 4.3+. It seems when the Client Selective Trust is enabled Chrome is unable to find the ICA file URL. This is currently being looked into. 

If using Windows 10 machines and trying to launch applications using Google Chrome via NetScaler Gateway site, this might fail. Going into Google Chrome Settings and changing the Privacy/Content settings for Plugins to "Run All Plugins" will resolve it. This does not work for Windows 7 Machines. 

Working Scenarios: 
1. Disabling Client Selective Trust 
2. Using IE instead with Client Selective Trust enabled 

Note: When setting Client Selective Trust on a Windows 7 Machine launching applications using Google Chrome via NetScaler Gateway Site, the application will never launch. Only Published Desktops will launch. 

Backend could contain any version of XenApp, Web Interface, or StoreFront. Currently being observed on Receiver 4.3+. It seems when the Client Selective Trust is enabled Chrome is unable to find the ICA file URL. This is currently being looked into. 

If using Windows 10 machines and trying to launch applications using Google Chrome via NetScaler Gateway site, this might fail. Going into Google Chrome Settings and changing the Privacy/Content settings for Plugins to "Run All Plugins" will resolve it. This does not work for Windows 7 Machines. 

Working Scenarios: 
1. Disabling Client Selective Trust 
2. Using IE instead with Client Selective Trust enabled 

Instructions

To configure default device access behavior of Citrix Workspace App, complete the following steps:
Note: In the ADM template there is the 'Create Client Service Trust Key' value, which can be used to automatically create all the required registry keys otherwise import registry keys first and make changes in registry values as explained and then apply ADM files and perform changes for ADM files. If you have applied ADM files first and then registry changes, there could be a possibility of continued unresolved issues.

Using ADM files ONLY and not importing registry hive or making changes to registry values will not resolve the issue. Both steps are required and should be applied in the correct order:
Step 1. Registry Hive,
Step 2. ADM File.
It is also applicable for Citrix Receiver 4.x.

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

1. Download the appropriate registry settings file that is attached to this article and import to a client device.
   Note: The attachment contains the file for a 32-bit and a 64-bit operating system.
   Note: If you have a 64-bit operating system, you should use the x86 registry file and policies. Support working with necessary teams to get naming of files clarified.

2. Open one of the following registry keys on the computer
   HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Client Selective Trust (for 32 bit OS)
   Or
   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Client Selective Trust. (for 64 Bit OS)
   
   Note: The key "HKEY_CURRENT_USER\SOFTWARE\Citrix\ICA Client\Client Selective Trust" has higher priority than "HKLM\SOFTWARE\Citrix\ICA Client\Client Selective Trust". This Key will be created every time a user makes changes in the preferences of Receiver. As this key has priority, it needs to be deleted at every reboot.
3. In the appropriate region(s), change the default value of any of the following resources according to the list of Access Values:

Access Values:

• 0 = No Access
• 1 = Read Only Access
• 2 = Full Access
• 3 = Prompt User for Access

4. Export the Client Selective Trust key to a new .reg file.
5. Import the modified .reg file on each client device.
6. This process can be automated by using a log on script.

Note: Included in the ZIP archive are the Group Policy ADM files specifically for x86 or x64 operating systems which create the required registry keys on the client machine and add the ability to modify the values as explained in the preceding section. If an Organizational Unit (OU) or group of computers contains multiple architectures, ensure to use a method such as Windows Management Instrumentation (WMI) filtering to apply the appropriate settings.

For clients supporting adml/admx format templates follow: https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/bb530196(v=msdn.10)?redirectedfrom=MSDN

Steps-
a) Download template.zip from https://support.citrix.com/article/CTX133565/how-to-configure-default-device-access-behavior-of-workspace-app-for-windows ​​​​​​​
b) Check CWA installation on endpoint device -
x86 directory - C:\Program Files (x86)\Citrix\Citrix WorkSpace XXX
x64 directory - C:\Program Files\Citrix\Citrix WorkSpace XXX
c) Opened gpedit to import the template
Computer configuration -> Right click on "Administrative template" -> Add/Remove templates -> Added "ClientSelectiveTrustX86Full.adm"

Configure below polices -
1. Computer configuration-> Administrative templates -> Client Administrative templates -> Citrix Client selective trust - Enabled "Create Client Selective Trust keys"
2. Computer configuration-> Administrative templates -> Client Administrative templates -> Trusted sites region -> IcaAuthorizationDecision -> Enabled "FileSecurityPermission" to "Read Only" Or anything you want.
3. Computer configuration-> Administrative templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Enable "Site to Zone Assignment list" and added url as -
https://StorefrontURL/

• Citrix Documentation - https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/group-policy.html
• Citrix Workspace App - https://www.citrix.com/downloads/workspace-app/windows/workspace-app-for-windows-latest.html