Citrix announced in late February that App Protection, a feature of on-premises Citrix Virtual Apps and Desktops was now generally available. We wanted to take a look at this neat new security tool and how it works.
What is App Protection
App Protection is an add-on for on-prem CVAD for unmanaged devices on Windows and macOS. Currently it’s only available for on-prem users, but Eric Kenney, Citrix senior product marketing manager, told me that they’re working to bring App Protection to Citrix Cloud at some point later in 2020.
App Protection prevents keyloggers from recording keyboard inputs and malicious software from capturing the user’s screen. With it enabled, keyloggers will only see random text and the screen capture will only provide a blacked-out screenshot.
The feature gets implemented at the Workspace app level, with admins enabling the policies through Citrix Studio. Once admins push the policies, it begins protecting the user from the next time they go to log into their account (including from when they input their credentials). App Protection doesn’t require any additional agents on the device, only the Citrix Workspace app.
At a technical level, Eric told me that Citrix uses kernel mode driver on Windows (Apple announced they were deprecating kernel extensions and have started with macOS 10.15.4) and OS API to prevent keystrokes from being captured by keyloggers, while screenshots are prevented through the API interface “used by most of the screen grabber tools.”
To use App Protection, end users need to have Workspace app version 1912 or later on Windows and 2001 or later on macOS.
Eric and I also discussed some upcoming roadmap features. Adding App Protection to Citrix Cloud appears to be the main focus, but another goal is to have it support additional device types beyond Windows and Mac. Right now, App Protection prevents keyloggers and screen capture on virtual apps accessed through the Workspace app. Eventually, it will expand to protect everything within the Workspace app, from files to the micro app feed, SaaS, and web.
So, how do companies get App Protection? For on-prem CVAD users, organizations must purchase it as an add-on. Once App Protection is released for Citrix Cloud, it will be included for no additional charge for Premium and Premium Plus customers, including for existing customers. For organizations with hybrid deployments, they’ll receive a license file to apply App Protection to their on-prem resources.
Provide protection for BYOD deployments
Eric explained that they created App Protection as a response to the growing number of unmanaged BYOD devices organizations have (a number that has likely grown a lot in recent weeks). So, App Protection provides a measure of additional protection for corporate resources on devices that companies don’t have any real visibility into. For example, if a company requires employees log into a VPN before accessing corporate resources, if they have a keylogger on their device, then the VPN credentials are potentially captured and now an attacker has a way into the network.
App Protection has proven popular with companies in regulated industries that have compliance issues to worry about.
App Protection is just a piece of Citrix’s overall security plan, combining alongside Citrix Endpoint Management and Secure Browser. It’s definitely a neat tool that we’ll be keeping our eyes on to see how it matures.