Manage App Protection
Supported on: Supported on Citrix Workspace app 2011 and above
Description
This policy helps user to enable/disable Anti-Keylogging and Anti-ScreenCapture on Citrix Workspace App enumeration screen. By default both Anti-Keylogging and Anti-ScreenCapture are disabled. -Enable Anti-Keylogging: Enabling this option will prevent keyloggers from capturing keystrokes. -Enable Anti-ScreenCapture: Enabling this option will prevent user from taking screenshots and sharing screen. Note: This policy doesn’t apply to your virtual app and web/SaaS app sessions. IMPORTANT: Citrix Workspace App needs to be restarted for changes to take effect.
Registry
SOFTWARE\Policies\Citrix\Dazzle REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Manage App Protection
; State: Enabled
; Supported on: Supported on Citrix Workspace app 2011 and above
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Dazzle]
"AntikeyloggingEnabled"=dword:00000001
"AntiScreenCaptureEnabled"=dword:00000001 PowerShell
# Exported from gporais.com
# Policy: Manage App Protection
# State: Enabled
# Supported on: Supported on Citrix Workspace app 2011 and above
$path = 'HKLM:\SOFTWARE\Policies\Citrix\Dazzle'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AntikeyloggingEnabled' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'AntiScreenCaptureEnabled' -Value 1 -Type DWord Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Manage App Protection
# State: Enabled
# Supported on: Supported on Citrix Workspace app 2011 and above
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Citrix\Dazzle' -Name 'AntikeyloggingEnabled' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Citrix\Dazzle' -Name 'AntiScreenCaptureEnabled' -Expected 1 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Manage App Protection
# State: Enabled
# Supported on: Supported on Citrix Workspace app 2011 and above
$path = 'HKLM:\SOFTWARE\Policies\Citrix\Dazzle'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AntikeyloggingEnabled' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'AntiScreenCaptureEnabled' -Value 1 -Type DWord SCCM CI
# Exported from gporais.com
# Policy: Manage App Protection
# State: Enabled
# Supported on: Supported on Citrix Workspace app 2011 and above
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Manage App Protection
# State: Enabled
# Supported on: Supported on Citrix Workspace app 2011 and above
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Citrix\Dazzle' -Name 'AntikeyloggingEnabled' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Citrix\Dazzle' -Name 'AntiScreenCaptureEnabled' -Expected 1 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Manage App Protection
# State: Enabled
# Supported on: Supported on Citrix Workspace app 2011 and above
$path = 'HKLM:\SOFTWARE\Policies\Citrix\Dazzle'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AntikeyloggingEnabled' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'AntiScreenCaptureEnabled' -Value 1 -Type DWord