Restricting XenApp 7.x Published Desktop Access

Website relaunched and updated

I’m one of those guys who has been “doing Citrix” for more years than I care to admit. Yes, I’m old enough that my Citrix experience goes back to the WinView days, and I have the gray hair to show for it. Obviously, over the years, I’ve worked with the various incarnations of what we then called SBC (Server Based Computing), whether that was WinFrame, MetaFrame, Presentation Server, XenApp, etc. For many, many years, it has been a common practice to try to steer customers to using published applications for end users, instead of published desktops. Using the published applications from a server dramatically decreases the security risk exposure. As a result, it became standard practice to publish applications to end users, but yet still publish the server desktop to the Citrix administrators. It just became an easy way for Citrix administrators to get to a specific server for any number of administrative purposes, no matter where they were.

This typical deployment scenario was easily implemented up through XenApp 6.5. However, since the “architecture shift” at XenDesktop 7 occurred, we don’t use the same tools to publish applications and desktops. The whole process of publishing an application is actually much simpler now. When you add the Delivery Group, you are prompted as to whether you want to publish applications only, or applications and desktops. You specify a base list of users that will see these applications and desktops, and then as you select each application you want to publish, you can further restrict the list of users that actually see the individual published applications. So, it’s typical to make that initial base list include a broad group, like “Domain Users” and then restrict applications as necessary, like making a financial application visible only to the Accounting Department group from Active Directory.

You go through this process, publishing applications from your Delivery Group, watching users happily find their applications in Receiver or StoreFront. Then it hits you… One of those users clicks on the “Desktops” tab in StoreFront, and there it is – the published server desktop. It suddenly dawns on you that you never restricted who could see the published desktop icon. In fact, by default, it is visible to everyone in that initial base list you specified when you brought the server into the delivery group. You quickly go back to Citrix Studio, looking for the field you overlooked where you can limit access to that desktop icon. You didn’t miss it. It just doesn’t exist. You spend time searching the web, only to find out that, in fact, there is no way in Citrix Studio to simply restrict visibility of the published desktop.

After more digging, you find that there are actually have two choices for making that published desktop icon disappear from in front of your end users. You go back and change this Delivery Group to publish applications only. We have success! This immediately fixes the problem, as the published desktop no longer exists, so absolutely no one sees it in StoreFront or Receiver. The “crisis” of having unintended users access a server desktop has been averted, but now you, as the Citrix administrator, can’t access the published desktop either. Sure, you can get to the server desktop using RDS, but if you wanted to easily get there as a published desktop, the option is gone.

There is another way to get exactly what you want. You can actually leave the published desktop alone as you originally created it, and restrict who can see it. It just can’t be done through Citrix Studio. You accomplish this through PowerShell. The steps are as follows:

1. On the Delivery Controller server, open PowerShell
2. In PowerShell, add all the Citrix PowerShell Snapins by typing
add-pssnapin Citrix*
3. Display the existing Broker Entitlement Policy Rule to get the Delivery Group name by typing
4. Set the policy rule to restrict access by typing
Set-BrokerEntitlementPolicyRule -Name “Delivery Group Name” –AddIncludedUsers “Domain\Group” -IncludedUserFilterEnabled $true
where “Delivery Group Name” is the name found in step 3, above
and “Domain\Group” is the name of the Active Directory group you want to have access to this published desktop
5. Exit PowerShell
Once you have completed these steps, only the Active Directory group you specified in step 4 can see the published desktop in StoreFront or Receiver. Why this functionality is not easily configured in Citrix Studio is a mystery to me. Fortunately, others found out how to work around the problem. I can’t take credit for solving the problem, just finding the answer on the web and sharing it with others…

Brian E. Holzer, CCE-V, CCP-N, CCP-M, CCA-N (former CCI)
Sr. Architect
Innovative Integration, Inc.

About Brian Holzer

Brian is a seasoned IT consultant (pre-sales, delivery and marketing) with experience across many industries (healthcare, financial services, communications, manufacturing, education, government, utilities, professional services, etc.). He is a former IT Director, Assistant Professor with Purdue University, and an application developer.

Leave a Reply

Innovative Integration can help you optimize your IT infrastructure. Request a Consultation