Allow client connections
Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
Description
Use this policy to enable or completely disable connections from the Citrix Workspace app. When this policy is not configured, the client will allow connection to servers. When this policy is enabled, the client will only connect to a server if the "Enable client" option is selected, and if its version number is greater or equal to the "Minimum client version". When the policy is disabled, the client will not allow connections to any servers. Troubleshooting: If a connection is refused because the client is not enabled, the error message "<Server> ERROR: Cannot connect to the Citrix XenApp server. The Server (…) is not trusted for ICA connections. Connections to the (All Regions) Region are not allowed by lockdown settings. Please contact your administrator." appears. If the client does not allow a connection because the version number is too low, the error message "Error number 2321: ICA Client Configuration Manager: The ICA Client version is too low to run using the installed configuration data." appears.
Registry
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Allow client connections
; State: Enabled
; Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
[HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions]
"AllowConnection"=dword:00000001
"Version Minimum"=dword:00002710 PowerShell
# Exported from gporais.com
# Policy: Allow client connections
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AllowConnection' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'Version Minimum' -Value 10000 -Type DWord Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Allow client connections
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions' -Name 'AllowConnection' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions' -Name 'Version Minimum' -Expected 10000 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Allow client connections
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AllowConnection' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'Version Minimum' -Value 10000 -Type DWord SCCM CI
# Exported from gporais.com
# Policy: Allow client connections
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Allow client connections
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions' -Name 'AllowConnection' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions' -Name 'Version Minimum' -Expected 10000 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Allow client connections
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AllowConnection' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'Version Minimum' -Value 10000 -Type DWord