Managing Citrix Client Selective Trust settings on AAD devices using Intune


Citrix Workspace app for Windows provides access to a user’s resources using Citrix Virtual Apps and Desktops. These resources include SaaS, web and legacy applications and desktops. Citrix Workspace app provides access from the desktop, start menu, Citrix Workspace user interface and web browsers.

Now in an Active Directory infrastructure, Citrix Workspace app can be centrally configured using Microsoft group policies. This requires that the administrative templates (the ADMX and ADML files) for Citrix Workspace app are copied to your Group Policy Central Store. Part of these setting include configuring Client Selective Trust registry keys which allows controlling the user permission prompts in a Citrix session related to access of resources on the device like local drives, webcams, microphones etc.

But how does one address this on devices that are Azure AD joined only? If you are managing devices using Intune, then one can using PS scripts to configure the necessary registry keys. At the time of writing this blog, following keys are available that can be configured.











It took me a while to research for the settings, therefore I decided to share the details on the setup through this post to help others save some time. I basically configured the settings myself and exported them to be used later in a script for configuration during Autopilot provisioning. Following is the script that I put together to configure some of the relevant settings. 

# define your PS script here
$content = @'
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust]

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegion]
"className"="Region"
"isRoot"="true"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegion\ConnectionAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidInternetRegionConnectionAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegion\IsIsmDeferalEnabled]
"stereotype"="DbScalar"
@="false"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegion\RegionName]
"stereotype"="DbScalar"
@="Internet"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegion\UrlWhitelist]
"stereotype"="DbSequence"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionConnectionAuthorizationDecision]
"className"="ConnectionAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionConnectionAuthorizationDecision\ConnectPermission]
"stereotype"="DbScalar"
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionConnectionAuthorizationDecision\IcaAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidInternetRegionIcaAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionConnectionAuthorizationDecision\RadeAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidInternetRegionRadeAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionIcaAuthorizationDecision]
"className"="IcaAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionIcaAuthorizationDecision\FileSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionIcaAuthorizationDecision\IsSsonAllowed]
"stereotype"="DbScalar"
@="false"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionIcaAuthorizationDecision\MicrophoneAndWebcamSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionIcaAuthorizationDecision\ParentRegionOid]
"stereotype"="DbScalar"
@="oidInternetRegion"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionIcaAuthorizationDecision\PdaSecurityPermission]
"stereotype"="DbScalar"
@="3"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionIcaAuthorizationDecision\ScannerAndDigitalCameraSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidInternetRegionRadeAuthorizationDecision]
"className"="RadeAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegion]
"className"="Region"
"isRoot"="true"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegion\ConnectionAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidIntranetRegionConnectionAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegion\IsIsmDeferalEnabled]
"stereotype"="DbScalar"
@="true"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegion\RegionName]
"stereotype"="DbScalar"
@="Intranet"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegion\UrlWhitelist]
"stereotype"="DbSequence"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionConnectionAuthorizationDecision]
"className"="ConnectionAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionConnectionAuthorizationDecision\ConnectPermission]
"stereotype"="DbScalar"
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionConnectionAuthorizationDecision\IcaAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidIntranetRegionIcaAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionConnectionAuthorizationDecision\RadeAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidIntranetRegionRadeAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionIcaAuthorizationDecision]
"className"="IcaAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionIcaAuthorizationDecision\FileSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionIcaAuthorizationDecision\IsSsonAllowed]
"stereotype"="DbScalar"
@="false"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionIcaAuthorizationDecision\MicrophoneAndWebcamSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionIcaAuthorizationDecision\ParentRegionOid]
"stereotype"="DbScalar"
@="oidIntranetRegion"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionIcaAuthorizationDecision\PdaSecurityPermission]
"stereotype"="DbScalar"
@="3"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionIcaAuthorizationDecision\ScannerAndDigitalCameraSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidIntranetRegionRadeAuthorizationDecision]
"className"="RadeAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidPredefinedSecurityPolicySettings]
"className"="PredefinedSecurityPolicySettings"
"isRoot"="true"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidPredefinedSecurityPolicySettings\BackwardsCompatibleWithLegacySecurityModel]
"stereotype"="DbScalar"
@="true"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidPredefinedSecurityPolicySettings\InstantiatedSecurityPolicyEditable]
"stereotype"="DbScalar"
@="true"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidPredefinedSecurityPolicySettings\UserSecurityPolicyEditable]
"stereotype"="DbScalar"
@="true"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegion]
"className"="Region"
"isRoot"="true"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegion\ConnectionAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidRestrictedSitesRegionConnectionAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegion\IsIsmDeferalEnabled]
"stereotype"="DbScalar"
@="true"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegion\RegionName]
"stereotype"="DbScalar"
@="Restricted Sites"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegion\UrlWhitelist]
"stereotype"="DbSequence"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionConnectionAuthorizationDecision]
"className"="ConnectionAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionConnectionAuthorizationDecision\ConnectPermission]
"stereotype"="DbScalar"
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionConnectionAuthorizationDecision\IcaAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidRestrictedSitesRegionIcaAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionConnectionAuthorizationDecision\RadeAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidRestrictedSitesRegionRadeAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionIcaAuthorizationDecision]
"className"="IcaAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionIcaAuthorizationDecision\FileSecurityPermission]
"stereotype"="DbScalar"
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionIcaAuthorizationDecision\IsSsonAllowed]
"stereotype"="DbScalar"
@="false"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionIcaAuthorizationDecision\MicrophoneAndWebcamSecurityPermission]
"stereotype"="DbScalar"
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionIcaAuthorizationDecision\ParentRegionOid]
"stereotype"="DbScalar"
@="oidRestrictedSitesRegion"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionIcaAuthorizationDecision\PdaSecurityPermission]
"stereotype"="DbScalar"
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionIcaAuthorizationDecision\ScannerAndDigitalCameraSecurityPermission]
"stereotype"="DbScalar"
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidRestrictedSitesRegionRadeAuthorizationDecision]
"className"="RadeAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegion]
"className"="Region"
"isRoot"="true"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegion\ConnectionAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidTrustedSitesRegionConnectionAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegion\IsIsmDeferalEnabled]
"stereotype"="DbScalar"
@="true"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegion\RegionName]
"stereotype"="DbScalar"
@="Trusted Sites"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegion\UrlWhitelist]
"stereotype"="DbSequence"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionConnectionAuthorizationDecision]
"className"="ConnectionAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionConnectionAuthorizationDecision\ConnectPermission]
"stereotype"="DbScalar"
@="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionConnectionAuthorizationDecision\IcaAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidTrustedSitesRegionIcaAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionConnectionAuthorizationDecision\RadeAuthorizationDecision]
"stereotype"="DbReference"
"oid"="oidTrustedSitesRegionRadeAuthorizationDecision"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionIcaAuthorizationDecision]
"className"="IcaAuthorizationDecision"
"stereotype"="DbObject"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionIcaAuthorizationDecision\FileSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionIcaAuthorizationDecision\IsSsonAllowed]
"stereotype"="DbScalar"
@="true"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionIcaAuthorizationDecision\MicrophoneAndWebcamSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionIcaAuthorizationDecision\ParentRegionOid]
"stereotype"="DbScalar"
@="oidTrustedSitesRegion"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionIcaAuthorizationDecision\PdaSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionIcaAuthorizationDecision\ScannerAndDigitalCameraSecurityPermission]
"stereotype"="DbScalar"
@="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\Client Selective Trust\oidTrustedSitesRegionRadeAuthorizationDecision]
"className"="RadeAuthorizationDecision"
"stereotype"="DbObject"



'@
 
# create custom folder and write script
$path = $(Join-Path $env:ProgramData AutopilotScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}

Out-File -FilePath $(Join-Path $env:ProgramData AutopilotScripts\ClientSelectiveTrust_FullAccess.reg) -Encoding unicode -Force -InputObject $content -Confirm:$false

regedit.exe /S C:\ProgramData\AutopilotScripts\ClientSelectiveTrust_FullAccess.reg

Now the only task left is to import it Intune.

2. Browse to Devices > Windows > PowerShell Scripts
3. Click Add
4. Provide a Name and hit next
5. Under Script settings, select the desired script.
6. Select No against Run this script using the logged on credentials option.
7. Select No against Enforce script signature check option.
8. Select Yes against Run script in 64 bit PowerShell Host option.
9. Assign the script to a device-based group.

References - 


Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users