ICA files contain the information to connect to a resource so must be handled securely. In some situations when the user uses a web browser to launch into Citrix Workspace app installed locally (hybrid launch), the browser downloads an .ica file rather than keeping it in-memory, which allows it to be copied between computers and potentially abused.

---

Instructions

When a user launches a Virtual App or Desktop, StoreFront generates what is known as an .ica file that contains the instructions for the client to launch that desktop. This file can only be used once and in a limited time period but in this time period it must be kept securely.

Normally using StoreFront 3.0 and higher, StoreFront invokes Citrix Workspace Launcher to invoke Citrix Workspace app within needing to save the file to disk. However there are some cases where the browser downloads the .ica file to disk that the user can then manually run to open with the locally installed Workspace App. Due to the sensitive nature of these files it is advisable to configure StoreFront to prevent this.

The best option is if Citrix Workspace web extension is installed in which case the website uses this to communcate with the locally installed Citrix Workspace app in-memory without needing to download ica files.

If the web extension is not installed then on Windows, Mac and Linux with supported browsers, the web site uses Citrix Workspace launcher to communicate with their locally installed Citrix Workspace app in-memory.

The first time the user goes to their store website, the website tries to open Citrix Workspace launcher. If the user clicks Open then it will subsequently launch apps and desktops using the launcher. However, the user has the option to bypass this by clicking the button “Already installed”. If the user clicks this then subsequent launches will download ica files. This option is useful for users with legacy versions of Citrix Receiver but is not needed for most organisations today.

Hide ‘Already Installed’ link on client detection page

With StoreFront 2402, you can hide the “Already installed” link by unticking Show the Already installed option on the client detection page.

With earlier StoreFront versions, you can customise your StoreFront to hide the “Already installed” link, and to clear the configuration for existing users who previously clicked ‘Already installed’.

On your StoreFront server, go to c:\inetpub\wwwroot\citrix\[store website]\custom\style.css add:

.detect-already-installed, .detect-already-installed-separator, .detect-already-installed-note, .validate-already-installed, .validate-use-light-version-separator, .validate-already-installed-note {display: none;}

In c:\inetpub\wwwroot\citrix\[store website]\custom\script.js, at the bottom add:

CTXS.Extensions.preInitialize = function() {

    if(CTXS.getCookie("CtxsClientDetectionDone")=="true" && CTXS.getCookie("CtxsUserPreferredClient")=="Native" && CTXS.getCookie("CtxsClientVersion")==null)

    {

        CTXS.removeCookie("CtxsClientDetectionDone");

        CTXS.removeCookie("CtxsUserPreferredClient");

    }

    callback();

};

Warning: These scripts are only valid on StoreFront versions from 1912 to 2311. They must be removed when upgrading to StoreFront 2402 or higher..

After making this change, users do not see the “Already installed” link:

Prevent ICA downloads on all platforms

The above changes prevent .ica downloads on platforms that support Citrix Workspace Launcher. There are also some platforms that do not support Citrix Workspace Launcher and always download an .ica file when you hybrid launch an app or desktop. These are:

• iOS
• iPadOS
• Android
• Legacy versions of Citrix Receiver.
• Internet Explorer 11 if the “Citrix ICA Client” add-on is not enabled (normally installed and enabled as part of Citrix Workspace app for Windows).
• Unsupported web browsers.

For these cases, there is no way to launch applications without downloading .ica files but you can completely block launches in StoreFront 2402 or higher by ticking Prevent ICA downloads on all platforms.

On earlier versions of StoreFront you can achieve the same effect by adding the following to script.js. This should be used in addition to the above script.

var launcher = CTXS.launchResource;
CTXS.launchResource = function(res, isAutoLaunch, chromeAppOptions)
{
   let isNativeClient = CTXS.Device.isNativeClient();
   let launchMethod = CTXS.ClientManager.getLaunchMethod();
   if (!isNativeClient && launchMethod == CTXS.LaunchMethod.ICA_FILE){
      	// kill it.
      	CTXS.ExtensionAPI.showMessage({
              	messageTitle: "Unable to launch",
              	messageText: "ICA file downloads are disabled.",
              	okButtonText: "Close",
              	okAction: function(){
               	res.isLaunchInProgress = false;
            	}
      	});
   }
   else
   {
   	launcher(res, isAutoLaunch, chromeAppOptions);
   }
}

Warning: These scripts are only valid on StoreFront versions from 1912 to 2311. They must be removed when upgrading from StoreFront 2311 to a newer version.

If you try to launch a resource on a platform that does not support Workspace launcher you will get an error message:

To launch apps on these platforms, use the locally installed Citrix Workspace app to connect to your store. 

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.