When you’ve worked with a Citrix XenApp or XenDesktop environment you must be familiar with the Security Warning dialog. It prevents a remote machine (your hosted application or desktop) from accessing resources on the client device, a security boundary you want to protect when from unmanaged systems.
But on managed systems you want to prevent this message, you don’t want your users to be confronted with a message you tell them to accept (otherwise it won’t work and they’re to blame).
In this article I’ll explain why this message is displayed and how you can prevent it.
Resources types
A users can be confronted with a security warning dialog for different resources, this depends on the client used:
| Resource description | Client version < 12.0 | Client version > 12.0 |
| Client drives | X | X |
| Microphone and webcams | X | X (only audio) |
| PDA devices | X | – |
| USB and other devices | X | – |
Client versions
“Back in the old days”, or when you’re using Citrix Presentation Server 4.5 or older, a Citrix ICA Client is used with a version lower than 12.0. The security warning dialog can be configured with the webica.ini file in the users profile.
The Citrix Receiver (version 12.0 and up) ignores the webica.ini file and is solely configured via the registry. A new feature with the name ‘Client Selective Trust’ was introduced to allow a more fine grained configuration that can be set via a group policy.
Before version 12.0
When you’re using a Citrix ICA client before version 12.0 the user will be asked what access level should be allowed. The users can choose between three access levels:
- No Access
- Read Access
- Full Access
Depending of the version used the following message will be displayed
Preventing the message
This message can be prevented by placing a webica.ini file in the %SystemRoot% (version 10.0 or lower) or the %AppData%\ICAClient directory (version 10.1 or higher).
The file has the following content
[Access] GlobalSecurityAccess=403 [AudioInput] GlobalSecurityAccess=803
Where the number represents an access level
| Access | AudioInput | ||
| -1 | No security setting configured | 803 | No Access, never ask me again |
| 403 | No Access | 804 | Full Access, never ask me again |
| 403 | Read Access | 806 | Never prompt current application |
| 405 | Full Access | 807 | Never prompt any application |
| 808 |
Version 12.0 and up (Citrix Receiver)
From Citrix Online Plugin 12.0 and up, including the current Citrix Receiver 3.x, users are presented the following dialog:
The content of the message depends on the resource that is accessed from the remote server.
GUID
For each target environment that is accessed a unique registry key is made in registry with the name HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}. It seems that the {GUID} is generated during runtime and (therefore) cannot be predicted. You can find what GUID belongs to what connection by reading the value HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}\RegionName\@.This value contains the name of the environment.
If you connect via a webinterface / cloudgateway this key contains the URL (like lab.pepperbyte.com). When you connected directly to a published application / server via an ICA file the content will be something like ica://172.31.50.132:1494.
Preventing the message
The message van be configured per resource type, where each resource type is a subkey of ICA Client\Client Selective Trust\{GUID}IcaAuthorizationDecision (no \ after the GUID!).
| Resource type | Subkey |
| Client drives | FileSecurityPermission |
| Microphones and webcams | MicrophoneAndWebcamSecurityPermission |
| PDA devices | PdaSecurityPermission |
| USB and other devices | ScannerAndDigitalCameraSecurityPermission |
The access level can be set in the default (@) value where the number represents an access level
| Value | Description |
| 0 | No access |
| 1 | Read access |
| 2 | Full access |
| 3 | Prompt the user for access |
The access level can be set per accessed environment (per GUID) or per region. By configuring the access level on the HKEY_LOCAL_MACHINE (HKLM) hive instead on the HKEY_CURRENT_USER (HKCU) hive the setting is inherited by all users.
If you can to configure the access permission per region you need to change the value of IsIsmDeferalEnabled to true and set the access level per resource type.
The regions that can be configured in HKLM match the regions that can be found (and configured) in Internet Explorer.
| Zone | Subkey |
| Internet | oidInternetRegion |
| Local Intranet | oidIntranetRegion |
| Trusted sites | oidTrustedSitesRegion |
| Restricted sites | oidRestrictedSitesRegion |
Keep in mind that if you configure the settings on a x64 operating system the keys are stored in HKLM\SOFTWARE\Wow6432Node\Citrix\ICA Client\Client Selective Trust.
English 
Nederlands
Cheers Ingmar, did anyone find/make an ADM template for this yet?
This will do the trick, simply import an adm template and configure the IE site that the servers are in accordingly
http://support.citrix.com/article/CTX133565.
good job Citrix..
Hi Ingmar, I discovered the adm templates provided in the Citrix article do not contain all the required registry settings for client access control to work.
http://forums.citrix.com/thread.jspa?messageID=1725617�
nice work! thanks for sharing this!
You’re welcome!
Hi
We are using Citirix ICA Client 11.0.0.5357 for our users to connect from remote locations.
I need to remove the Client File Security popup from when they logon.
How would I go about this? I have read your document but the instructions for the version we are using seem to require the addidtion of the webica.ini file on the local profile of a user to which we would have no access.
Is there a setting we can apply which will stop the prompt from appearing for all users that connect? If so would this need to be applied to all servers that are in the farm that are used for remote access or just the main citrix xenapp server?
I would be very grateful if anyone could point me in the right direction.
Thanks
Julia
Hi Julia,
The dialog your seeing is the a security dialog which needs to be configure on a per-user basis.
If you can’t control the content %AppData%\ICAClient\webica.ini file then the only of preventing this dialog is to configure a Citrix policy that disables all client acces (drives, printers and clipboard).
Cheers,
Ingmar
Nice information and thanks for putting it together.
Excellent article, very helpful. Is their a way to tell which region and keys controls what client device resources? I have number of users who receive the prompt when trying to access files on a USB drive, others receive the the prompt when trying to utilize voice call features over MS Lync.
See post
I was able to get everything working all through group policy by
1) adding the storefront https:// url and the applink https:// url to the list of trusted sites
2) delete the HKCU….\Client Selelctive Trust key and all the subkeys
That worked great, and it was all through group policy registry preferences.