Applies to: LES 4.4 SR7 and newer, Citrix XenApp 6 and newer This document describes the implementation of Lumension Device Control in a Citrix XenApp environment to control access to devices from unmanaged endpoints. September 2011 V1.0 Copyright 2011, Lumension
Table of Contents Using LDC with Citrix XenApp... 1 Installation... 3 Permissions... 3 Encryption... 4 Unsupported Features on Unmanaged Endpoints... 4 2
Installation These steps assume that an existing Citrix XenApp server is installed and configured, on an operating system which is supported by both Citrix XenApp and by the LES Agent. Install the LES database (SX), application server (SXS), and console (SMC) in the usual manner, according to the product documentation. For Windows-based endpoints which are supported by LES, install the LES agent directly on those endpoints for maximum protection. To address endpoints which are either unmanaged (e.g. employee-owned) or use an unsupported (e.g. non-windows) operating system, install an LES agent on the XenApp server. This agent will manage device access within the XenApp sessions. Note that in order for device permissions to be applied to specific users, XenApp must be configured not to allow anonymous publication of applications. When applications are published anonymously, the actual Active Directory user is not associated with the session, so no policy will apply to that unknown user. If an application must be published anonymously, then the same permission must be applied to all users. This is accomplished by assigning the permission to the user Everyone in the LES console. Permissions Permissions can be applied at the Device Class level of the hierarchy. Permissions cannot be applied to specific device models or unique device ID s as this information is not delivered to the server from the XenApp client. If there are users connecting on an LES-managed (LES agent is installed) and unmanaged endpoints (using XenApp) with the same username, and you want to manage to device ID or model level on the managed machines, set separate permissions for the LES agent on the Citrix Server. The managed endpoint should apply permissions to the specific devices and models you wish to manage. Add the Citrix server to the console using Insert Computer and apply permissions at the class level to that computer. Permissions can be set at each class level for User and User Group assignments. Read, Write, Encrypt, and Decrypt permissions are supported as they are for managed endpoints. Permissions can also be applied to encrypted devices and unencrypted devices. This means that you can set Read and Write permissions for encrypted Removable Storage Devices, and Read-only (or no access) permissions for unencrypted Removable Storage Devices. There is a class in Device Explorer which applies specifically to Citrix XenApp installations, Citrix Network Shares. A Citrix user may map a network drive letter to devices connected to the endpoint. The user could then potentially bypass the device permission being enforced by 3
reading and writing to the network drive letter instead of the device itself. Permissions set for Citrix Network Shares will apply to these file transfers. You may block access, allow read only, or allow read and write to these mapped drives. As an example, a user can connect a USB flash drive to a USB connector on his home computer (Y:) and map it locally as a network share (Z:) while using a XenApp-delivered application. Citrix XenApp will identify the device either as removable or network share depending on the drive letter that's used to access the device. So if a user accesses the drive using Z:, permissions will be applied by LDC according to Citrix Network Shares and if the user access the drive using Y: Removable Storage Devices class permissions will be used instead. Encryption Device encryption from remote endpoints is supported in the manner described here. The Secure Volume Browser application (SVOLBRO.EXE) is a component of the LES Client. This application can be used to encrypt devices from unmanaged endpoints. In order to use Secure Volume Browser for encryption, this application must be made available to XenApp users. You can do this by publishing the application through XenApp. If you are delivering the server s desktop environment though XenApp, then the Secure Volume Browser is already part of that image so it doesn t need to be published separately. However, you may want to put a shortcut to it on the desktop to make it easy to find for users. In order to encrypt a device, the user starts Svolbro.exe, right clicks the device s drive letter, and selects the encrypt option. They user is prompted for a password, and the device is encrypted. Unsupported Features on Unmanaged Endpoints Due to the fact that the agent is not installed on the endpoint, there are certain functions of LDC which do not perform as they do when installed on the endpoint itself. Offline permissions are not supported. The agent is installed on the server and is therefore always online. File Type Filtering is not available. The agent driver is not in a position to intercept file transfers and analyze file content to determine if the transfer should be permitted. File Shadowing is not supported. The file being transferred never actually resides on the XenApp server where the agent is installed. There is no mechanism within XenApp to allow the file to be returned to the server. Managing permissions for specific device models or unique device ID s. This information about the device is not passed from the XenApp client to the server. LES 4.4 SR9 and later versions contain an API which allows for this information to be communicated to the LES agent (on the XenApp server). Custom development of a mechanism to pass this 4
data from the XenApp endpoint to the XenApp server could provide this capability. Lumension can provide the API documentation upon request. 5