Local Application Protection
Supported on: All Citrix Workspace supported platforms
Description
The Local Application Protection policy provides Anti-Keylogging and Anti-ScreenCapture protection to the locally installed applications on the Microsoft Windows operating system. When the policy is: - Not Configured - The Local Application Protection feature isn't integrated with the locally installed applications. - Enabled - Citrix Workspace app enables the Local Application Protection feature for the locally installed applications. - Disabled - Citrix Workspace app disables the Local Application Protection feature for the locally installed applications. The List of protected local applications field allows the administrator to add information of the local applications that must be protected. For example: { "containers": [ { "containerID": "4F402876-AB1A-4E9A-8B54-DE3CA0BFC23F", "containerName": "Text Editors", "antiKeyloggingEnabled": "true", "antiScreenCaptureEnabled": "false", "applications": [ { "applicationName": "notepad", "filePath": "C:\\windows\\system32\\notepad.exe", }, { "applicationName": "word", "filePath": "C:\\Program Files\\Microsoft Office\\root\\Office16\\winword.exe", "publisher": "Microsoft Corporation", "signature": "f9a36937c16d0a69a43981dacb6b5686fad84543", "fileMinVersion": "16.0.0.1", "fileMaxVersion": "16.0.15601.20148" } ] }, { "containerID": "GUID", "containerName": "container name", "antiKeyloggingEnabled": "true", "antiScreenCaptureEnabled": "false", "applications": [ { "applicationName": "application name", "filePath": "path-to-exe", "publisher": "signer name", "signature": "certificate thumprint", "fileMinVersion": "Minimum file version", "fileMaxVersion": "maximum file version" } ] } ] }
Registry
SOFTWARE\Policies\Citrix\AppProtection REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Local Application Protection
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\AppProtection]
"localAppProtection"=hex(7):00,00
; REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. PowerShell
# Exported from gporais.com
# Policy: Local Application Protection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\SOFTWARE\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'localAppProtection' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Local Application Protection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Citrix\AppProtection' -Name 'localAppProtection' -Expected @() -Kind MultiString)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Local Application Protection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\SOFTWARE\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'localAppProtection' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. SCCM CI
# Exported from gporais.com
# Policy: Local Application Protection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Local Application Protection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\SOFTWARE\Policies\Citrix\AppProtection' -Name 'localAppProtection' -Expected @() -Kind MultiString)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Local Application Protection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKLM:\SOFTWARE\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'localAppProtection' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting.