Citrix Receiver - Security WarningWhen you’ve worked with a Citrix XenApp or XenDesktop environment you must be familiar with the Security Warning dialog. It prevents a remote machine (your hosted application or desktop) from accessing resources on the client device, a security boundary you want to protect when from unmanaged systems.

But on managed systems you want to prevent this message, you don’t want your users to be confronted with a message you tell them to accept (otherwise it won’t work and they’re to blame).

In this article I’ll explain why this message is displayed and how you can prevent it.

Resources types

A users can be confronted with a security warning dialog for different resources, this depends on the client used:

Resource description Client version < 12.0 Client version > 12.0
Client drives X X
Microphone and webcams X X (only audio)
PDA devices X
USB and other devices X

 

Client versions

“Back in the old days”, or when you’re using Citrix Presentation Server 4.5 or older, a Citrix ICA Client is used with a version lower than 12.0.  The security warning dialog can be configured with the webica.ini file in the users profile.

The Citrix Receiver (version 12.0 and up) ignores the webica.ini file and is solely configured via the registry. A new feature with the name ‘Client Selective Trust’ was introduced to allow a more fine grained configuration that can be set via a group policy.

 

Before version 12.0

When you’re using a Citrix ICA client before version 12.0 the user will be asked what access level should be allowed. The users can choose between three access levels:

  • No Access
  • Read Access
  • Full Access

Depending of the version used the following message will be displayed

Client File Security 10.xClient File Security 11.xICA Client File Security

 
Preventing the message

This message can be prevented by placing a webica.ini file in the %SystemRoot% (version 10.0 or lower) or the %AppData%\ICAClient directory (version 10.1 or higher).

The file has the following content

[Access]
GlobalSecurityAccess=403

[AudioInput]
GlobalSecurityAccess=803

Where the number represents an access level

Access   AudioInput  
-1 No security setting configured 803 No Access, never ask me again
403 No Access 804 Full Access, never ask me again
403 Read Access 806 Never prompt current application
405 Full Access 807 Never prompt any application
    808  

 

Version 12.0 and up (Citrix Receiver)

From Citrix Online Plugin 12.0 and up, including the current Citrix Receiver 3.x, users are presented the following dialog:

File Security - Citrix Online PluginCitrix Receiver - Security Warning

The content of the message depends on the resource that is accessed from the remote server.

 

GUID

For each target environment that is accessed a unique registry key is made in registry with the name HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}. It seems that the {GUID} is generated during runtime and (therefore) cannot be predicted. You can find what GUID belongs to what connection by reading the value HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}\RegionName\@.This value contains the name of the environment.

If you connect via a webinterface / cloudgateway this key contains the URL (like lab.pepperbyte.com). When you connected directly to a published application / server via an ICA file the content will be something like ica://172.31.50.132:1494.


Preventing the message

The message van be configured per resource type, where each resource type is a subkey of ICA Client\Client Selective Trust\{GUID}IcaAuthorizationDecision (no \ after the GUID!).

Resource type Subkey
Client drives FileSecurityPermission
Microphones and webcams MicrophoneAndWebcamSecurityPermission
PDA devices PdaSecurityPermission
USB and other devices ScannerAndDigitalCameraSecurityPermission

The access level can be set in the default (@) value where the number represents an access level

Value Description
0 No access
1 Read access
2 Full access
3 Prompt the user for access

The access level can be set per accessed environment (per GUID) or per region. By configuring the access level on the HKEY_LOCAL_MACHINE (HKLM) hive instead on the HKEY_CURRENT_USER (HKCU) hive the setting is inherited by all users.

oidUserRestrictedSitesRegionIf you can to configure the access permission per region you need to change the value of IsIsmDeferalEnabled to true and set the access level per resource type.

The regions that can be configured in HKLM match the regions that can be found (and configured) in Internet Explorer.

Zone Subkey
Internet oidInternetRegion
Local Intranet oidIntranetRegion
Trusted sites oidTrustedSitesRegion
Restricted sites oidRestrictedSitesRegion

Keep in mind that if you configure the settings on a x64 operating system the keys are stored in HKLM\SOFTWARE\Wow6432Node\Citrix\ICA Client\Client Selective Trust.

11 Comments

  1. Hi

    We are using Citirix ICA Client 11.0.0.5357 for our users to connect from remote locations.

    I need to remove the Client File Security popup from when they logon.

    How would I go about this? I have read your document but the instructions for the version we are using seem to require the addidtion of the webica.ini file on the local profile of a user to which we would have no access.

    Is there a setting we can apply which will stop the prompt from appearing for all users that connect? If so would this need to be applied to all servers that are in the farm that are used for remote access or just the main citrix xenapp server?

    I would be very grateful if anyone could point me in the right direction.

    Thanks

    Julia

    1. Hi Julia,

      The dialog your seeing is the a security dialog which needs to be configure on a per-user basis.

      If you can’t control the content %AppData%\ICAClient\webica.ini file then the only of preventing this dialog is to configure a Citrix policy that disables all client acces (drives, printers and clipboard).

      Cheers,
      Ingmar

  2. Excellent article, very helpful. Is their a way to tell which region and keys controls what client device resources? I have number of users who receive the prompt when trying to access files on a USB drive, others receive the the prompt when trying to utilize voice call features over MS Lync.

  3. I was able to get everything working all through group policy by
    1) adding the storefront https:// url and the applink https:// url to the list of trusted sites
    2) delete the HKCU….\Client Selelctive Trust key and all the subkeys

    That worked great, and it was all through group policy registry preferences.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

en_USEnglish