Published Applications

Last Modified: Dec 22, 2023 @ 5:02 am


💡 = Recently Updated

Change Log

RDSH Application Testing

Installing apps on Remote Desktop Session Host (Virtual Apps or XenApp) is more complicated than installing apps on a single-user operating system (virtual desktop). Here are some RDSH-specific considerations that must be tested before integrating a new application into RDSH. These considerations usually don’t apply to virtual desktops.

  •  Multi-user Capable – can the application run multiple times on the same machine by different users? Most applications don’t have a problem, but a few do, especially applications that put temporary files or other writable files in global locations. For example, the first user of an app could write temporary files to C:\Temp. The second user writes to the same location, overwriting the temp files needed by the first user. Test the app with multiple users running the app on the same RDSH machine.
  • Lockdown to prevent one user from affecting another – What restrictions are needed to prevent one user from affecting another? For example, if an app’s configuration files are stored in a global location, you don’t want one user to edit the configuration file, and thus affect a different user. Test the app with multiple users running the app on the same RDSH machine.
  • Permission Relaxations – what relaxations (e.g. NTFS) are needed to allow non-administrators and GPO locked-down users to run the application? Test the application as a non-administrator with GPO lock down policies applied.
  • First Time Use – when a user launches an application the first time, the application should be automatically fully configured with default settings (e.g. back-end server connections). Use group policy to apply application settings. Automated FTU also helps with a user whose profile is reset. Test the RDSH app with a user that has a new (clean) profile.
  • Roaming – users could connect to a different RDSH machine every day, and thus user settings need to roam across machines. Test running the app on one RDSH, make changes, then login to a different RDSH machine to ensure the changes are still there.
  • Application Licensing – if an application requires licensing, can licensed and non-licensed users connect to the same machine? Can it be guaranteed that non-licensed users can’t run the application that requires licensing? Adobe Acrobat is an example of a challenging application because of the global .pdf file-type association, and the global PDF printer.
  • Client Devices (USB, printers, COM ports) – the client device mapping capabilities on RDSH are not as extensive as virtual desktops. For example, generic USB wasn’t added until Windows Server 2012 R2. When the application prints, does it show printers from every user, instead of just the user running the app? Does the app need COM port mapping?
  • Shared IP – does the app have any problems with multiple users sharing the same IP address? If so, you might have to configure RDS IP Virtualization.
  • Fair Sharing of Hardware Resources– does the app sometimes consume a disproportionate amount of hardware resources? For example, can the app be used to launch a task that consumes 100% CPU for some time? One option is to put this app on its own Delivery Group. Or you can use Citrix Workspace Environment Manager to ensure fair sharing of hardware resources.
  • Published Application – can the app run as a published application that doesn’t have Explorer running in the background? Does the app (e.g. Internet Explorer web apps) need RunOnce.exe /AlternateShellStartup to fully initialize before it will run correctly as a published application? Some apps work without issue in a published desktop, but don’t work properly as published applications. When testing a published app, test it with a user that has a new (clean) profile. Connecting to the published desktop once will cause Active Setup to run, changing the user’s profile, thus distorting the published app testing results.
  • Integration Testing – when installing a new app on a RDSH server, don’t forget to test the other apps already on the RDSH server, because the new app might have broken the other apps. The more apps you put on an RDSH server, the longer it takes to perform integration testing.

Also see MSDN Remote Desktop Services programming guidelines.

Some of the issues in this list can be overcome by using an application virtualization tool (e.g. Microsoft App-V) that runs apps in isolated bubbles.

Application Groups

Citrix Blog Post Introducing Application Groups in XenApp and XenDesktop 7.9

Citrix Virtual Apps and Desktops and XenApp 7.9 and newer has an Application Group feature. This feature lets you group published apps together so you can more easily apply properties to every app in the group. Today, you can do the following:

  • Control visibility of every app in the app group (Users page).
  • Publish every app on the same Delivery Groups.
  • Prevent or allow apps in different Application Groups from running in the same session.
  • With one published app icon, test users launch from test Delivery Group, while production users launch from production Delivery Group.

To create an Application Group:

  1. In Citrix Studio, right-click Applications, and click Create Application Group.

    1. In the Getting Started page, click Next.
    2. In the Delivery Groups page, select the delivery groups you want these apps published from.
    3. In the Users page, select the users that can see the apps in this app group.
    4. Note: there are three levels of authorization. An app is only visible to a user if the user is assigned to all of the following:
      • Delivery Group
      • Application Group
      • Individual Published Apps in the Application Group
    5. Click Next.
    6. In the Applications page, publish applications like normal. The Existing option lets you select an app that’s already been published to a different Application Group or Delivery Group. Click Next.
    7. In the Summary page,  give the Application Group a name, and click Finish.
  2. In the Applications node in Studio, there’s a new Application Groups section.
  3. If you highlight your Application Group, on the right is the list of apps in the group. You can edit each of these published apps like normal.
  4. You can drag applications into an Application Group.

  5. However, this more of a copy than a move. To actually move the app exclusively into the Application Group, edit the individual app, and on the Groups page, remove all Delivery Groups (or other Application Groups). The app will instead inherit the Delivery Groups from the app group.
  6. If you edit the Application Group:
  7. The Settings page has an option for session sharing between Application Groups. Clearing this checkbox allows you to force applications in different Application Groups to run in different sessions.
  8. The Delivery Groups tab lets you set Delivery Group priority. If priority is identical, then sessions are load balanced. If priorities are different, then sessions are launched on Delivery Groups in priority order.
  9. The checkbox for Restrict launches to machines with tag lets you restrict the apps to only run on VDAs with the selected tag.
  10. In Citrix Virtual Apps and Desktops and XenApp/XenDesktop 7.13 and newer, you can use PowerShell to cause an Application Group to launch multiple app instances in separate sessions. Citrix Blog Post XenApp and XenDesktop 7.13: Launching an Application in Multiple Sessions.

Limit Icon Visibility

For Published Applications, there are three levels of application authorization: Delivery Group, Application Groups, and Published App Limit Visibility. A published app icon is only visible if the user is added to all three levels.

  1. Delivery Group (Users page). If the user is not assigned to the Delivery Group, then the user won’t see any application or desktop icon published from that Delivery Group.

  2. Limit Visibility – You can use the published app’s Limit Visibility page to restrict an icon to a subset of Delivery Group users.

  3. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.9 and newer, you can use Application Groups to restrict access to published icons.

  4. App Icons won’t appear unless users are added to all three of the above locations.

Published Desktops have separate authorization configuration:

  1. Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.8 and newer have a Desktops page in Delivery Group properties where you can publish multiple desktops and restrict access to those individual published desktops.

  2. In XenApp/XenDesktop prior to version 7.8, if a desktop is published from the Delivery Group, by default, every user assigned to the Delivery Group can see the icon. You can use the PowerShell command Set-BrokerEntitlementPolicyRule to limit the desktop icon to a subset of the users assigned to the Delivery Group.
    1. Run asnp citrix.*
    2. Run Get-BrokerEntitlementPolicyRule to see the published desktops.
    3. Then run Set-BrokerEntitlementPolicyRule to set the IncludedUsers or ExcludedUsers filters.

Published Content

Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.11 and newer have Published Content where you can publish URLs that are opened in the user’s local browser. You can also publish UNC paths, which are opened with local Explorer or local application.

It’s not possible to publish content using Citrix Studio. Instead, use PowerShell.

The New-BrokerApplication cmdlet requires you to specify a Delivery Group which must have at least one registered machine in it. However, the published content does not actually launch from the Delivery Group since the URLs and/or UNCs open locally.

First run asnp citrix.*

Then run New-BrokerApplication -ApplicationType PublishedContent. Here is a sample PowerShell command:

New-BrokerApplication -Name "CitrixHomePage" -PublishedName "Citrix Home Page" -ApplicationType PublishedContent -CommandLineExecutable -DesktopGroup RDSH12R2

Instead of publishing to a Delivery Group, you can publish to an Application Group by using the -ApplicationGroup switch. The Application Group must have Delivery Group(s) assigned to it.

Once the Published Content is created, you can see it in Citrix Studio. You can also edit it from Citrix Studio, including Limit Visibility and Groups (to move it to an Application Group).

Published Content can be placed in Application Groups, which supports properties to restrict access to the shortcut.

It does not appear to be possible to set the icon from Studio, but you can do it using PowerShell. See Citrix Blog Post @XDtipster – Changing Delivery Group Icons Revisited (XD7) for instructions to convert an icon to a base64 string, and import to Citrix Virtual Apps or XenApp using New-BrokerIcon -EnCodedIconData "Base64 String".  Then you can link the icon to the Published Content using Set-BrokerApplication "App Name" -IconUid.

In StoreFront 3.7, you can click the icon and URLs will open in a new browser tab.

HTTP/HTTPS Published Content should open in Receiver. Other URLs (e.g. file:// or UNC path) will probably show an error message.

You can override this restriction by enabling the group policy setting Allow/Prevent users to publish unsafe content at Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Receiver | SelfService. This assumes you’ve installed the Receiver .admx files. (h/t David Prows at CUGC forums).

Application Usage Limits

In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.7 or newer, if you edit an application’s Properties, on the Delivery page, you can restrict the number of concurrent instances of the application. You can also Limit to one instance per user.

Citrix Virtual Apps and Desktops (CVAD) 1808 and newer support limiting the number of application instances per machine. This setting is configured using PowerShell. See Configure application limits at Citrix Docs.

asnp citrix.*
Set-BrokerApplication MyApplication -MaxPerMachineInstances 2

To revert to unlimited per-machine instances of the published application, set MaxPerMachineInstances to 0.

Keywords for StoreFront

In a published application’s Properties, on the Identification page, in the Description and keywords field, you can enter KEYWORDS to control how the app behaves when displayed by StoreFront.

  • Enter KEYWORDS:Mandatory or KEYWORDS:Auto to cause the application to automatically be subscribed or favorited in Citrix Receiver.
    • In StoreFront 3.0 and newer, the user can go to the Apps tab, click an App’s Details button, and mark the app as a Favorite. 
    • In the older StoreFront interface, users subscribe to applications by clicking the plus icon to add the application to the middle of the screen. 
    • Mandatory means the app can’t be removed from Favorites or unsubscribed.
    • Auto means the app is automatically favorited or subscribed, and can be un-favorited or unsubscribed by the user.
  • Enter KEYWORDS:Featured to make the application show up in the Featured list.
  • You can separate multiple keywords with a space. KEYWORDS:Mandatory Featured.
  • See the StoreFront 3.7 Keywords documentation at Citrix Docs for more information.

Users will have a better experience with StoreFront if applications are published into folders. The folder name is specified in the Delivery page in the Category field. Note: Add shortcut to user’s desktop works in newer versions of Receiver assuming the app is marked as a Favorite.

Secure Browser

Citrix has a deployment guide for publishing a browser from XenApp. Here’s an overview of the configuration:

  • Install Chrome on an RDSH VDA.
  • In Studio, publish IE and/or Chrome in Kiosk Mode to anonymous users.
    • Create a different published app for each website.
  • In StoreFront, create a Store for Unauthenticated Users.
  • In StoreFront, enable Receiver for HTML5.
  • In StoreFront, enable web links so you can link to the published browser from a different website.

When a user launches the published browser, the HTML5 client opens the published app in a local browser tab. The published browser runs in kiosk mode so that the published browser’s user interface is hidden. It looks like the website is running on the local browser but actually it’s running from a published browser.


App-V GPO ADMX templates

The latest GPO ADMX templates for App-V can be downloaded from Microsoft Desktop Optimization Pack Group Policy Administrative Templates.

App-V and Logon Times


App-V Dual Admin

In Dual Admin mode, you configure Citrix Studio to connect to App-V Management Server(s) and Publishing Server(s).

See Citrix Blog Post Load Balancing Microsoft App-V Servers with a Citrix Virtual Apps deployment for supported App-V server load balancing configurations.

  • Connecting to Management Servers using a load balancing VIP is not supported.
    • Use DNS Round Robin instead. Or use Citrix PowerShell to specify multiple Management Servers.
  • You can connect to Publishing Servers load balanced through a VIP, but Studio will show an error. Just ignore it.

App-V Single Admin

Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.8 no longer requires App-V management infrastructure and can instead pull the App-V packages directly from an SMB share as detailed at App Packages at Citrix Docs.

The computer accounts for Delivery Controllers and VDAs must have read access to the share. An easy method is to add Domain Computers. See CTX221296 Citrix App-V Integration Minimum Permission Requirements.

In CVAD 2311 or newer, in Web Studio, go to App Packages to add App-V packages. See Publish packaged applications on single-session or shared desktop VDAs at Citrix Docs.

In older Citrix Studio, go to Configuration > Hosting, right-click App-V Publishing, click Add Packages, and browse to the .appv file.

Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.11 adds an Isolation Groups tab.

Once App-V packages are added to Citrix Studio, you can publish an app, and select App-V from the drop-down.

The App-V apps show up as AppLibrary App-V and support the same options as other published applications.

Make sure the App-V Components are installed on your VDA. It’s not checked by default in 7.12 and newer.

On your VDA Windows 10/2016 or newer, in PowerShell, run Enable-Appv. For older OS, install the App-V client.

There appears to be some limitations to the package share method as detailed by Joe Robinson at Citrix Discussions:

Joe Robinson provided a script to force the App-V client to sync before launching the user’s App-V application.

If you run Citrix Workspace app inside a VDA machine and attempt to launch an App-V published app, it will launch from a different VDA session instead of the VDA session you’re already connected to.

Launch App Inside App-V Bubble

From Citrix Blog Post Process Launching in an App-V V5 Virtual Environment:

  • On any executable, add the /appvve:<PackageID>_<VersionID> of the package in which one would like the executable to run
  • If the App-V process is already running then use the /appvpid:<ProcessId> to inject into a running App-V virtual environment
  • If you want something more permanent, you can set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\<YourApplicationName> with a default REG_SZ key that has the executable name in it.

Also see Microsoft Knowledgebase article How to launch processes inside the App-V 5.0 virtualized environment.



Change Published Desktop Icon

Citrix Blog Post Changing Delivery Group Icons Revisited (XD7) has instructions on how to use PowerShell to import a Base-64 icon and then link it to the published desktop.

StoreFront overrides custom desktop icons. Run the following PowerShell commands to restore custom desktop icons: (h/t CTP Sam Jacobs)

& 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1'

$store = Get-STFStoreService /Citrix/Store
Set-STFStoreService -StoreService $store -SubstituteDesktopImage $false -Confirm:$false

Other Published App Tips

CTX209199 Published 64 bit Aps Can’t Be Started With %ProgramFiles% in Command Line If It’s Not the first Application to Start: You can try the following methods to address this issue:

  1. Use the absolute path to publish the application.
    2. Use %ProgramW6432% for 64-bit applications instead of %ProgramFiles%.

Google Chrome

Links detailing installation, configuration, roaming profiles, and publishing.

CTX132057 Google Chrome Becomes Unresponsive when Started as Published Application: add the parameters --allow-no-sandbox-job --disable-gpu in the published app command line. According to Dennis Span, this is no longer needed in Chrome 58 and newer.

CTX205876 Non-published Google Chrome browser on XenApp server, called and launched from any published app, is seen in black/grey screen: The command line parameter has to be added to registry shell open command for the Chrome browser:

  1. In Regedit, navigate to HKEY_CLASSES_ROOT\http\shell\open\command
  2. Edit the Default value as follows:
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --allow-no-sandbox-job --disable-gpu -- "%1"

Disable Application and Hide It

  1. In Studio, you can disable a published application by right-clicking it, and clicking Disable.
  2. In older versions of XenApp/XenDesktop, when you disable the application, it leaves the application visible but it is grayed out thus preventing users from launching it. In 7.8, the disabled app is automatically hidden (no longer shown in the apps list).
  3. If desired, you can hide or unhide the disabled application icon by running a PowerShell command:
    asnp citrix.*
    Set-BrokerApplication MyApp -Visible $false

  4. When you re-enable the application, Visibility is automatically set back to true.

Browser Content Redirection

Browser Content Redirection prevents the rendering of whitelisted webpages on the VDA side, and instead renders them on the client side. Only the browser viewport is redirected. The intent of this feature is to redirect HTML5 Video (e.g .youtube).

Browser Content Redirection requirements:

  • Citrix Virtual Apps and Desktops (CVAD) or XenApp/XenDesktop 7.16 and newer
  • Receiver 4.10 or newer
  • Chrome support is available in Citrix Virtual Apps and Desktops (CVAD) 1808 and newer
    • In the VDA, install the Chrome Browser Extension named Browser Content Redirection Extension. You can use Google Chrome Group Policy templates to force installation of the extension. See Browser content redirection Chrome extension at Citrix Docs.
    • You do not need any client software other than Workspace app 1809 or newer. The client-side rendering engine is included in Workspace app 1809 and newer.
      • HDX Browser Content Redirection feature will not work with Citrix Workspace app for Windows 1912 LTSR due to removal of the embedded browser from LTSR versions. But it does work in Workspace app 2006.
  • Internet Explorer 11– IE 11 on both the VDA, and on the client.
    • On the VDA, Enhanced Protected Mode must be disabled under Internet Explorer: Internet Options > Advanced
    • On the VDA, an IE 11 Browser Helper Object (BHO) named Citrix HDXJsInjector facilitates the redirection.
    • In Internet Explorer > Tools > Internet Options > Advanced > Browsing, ensure that Enable third-party browser extensions is checked. Source = Content Browser Redirection at Citrix Discussions.
  • Internet access from Client – By default, the client (Receiver) tries to fetch the redirected content. If client is not able to fetch, then the content falls back to server rendering.
  • When redirection is working, the client machine has a HdxBrowser.exe process.

    • See Kasper Johansen Citrix Xenapp And Desktop 7.16 Browser Content Redirection for some videos of this feature.
    • Kasper and Rasmus detail client-side registry keys to enable HdxBrowser.exe to use client-side GPU. These keys/values might already be configured in Receiver 4.11 and newer.
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
        • HdxBrowser.exe (DWORD) = 1
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
        • HDXBrowser.exe (DWORD) = 11000 (Decimal)
      • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
        • HdxBrowser.exe (DWORD) = 1
      • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
        • HDXBrowser.exe (DWORD) = 11000 (Decimal)
    • Rasmus Raun-Nielsen at Browser Content Redirection?! at LinkedIn has some CPU analysis, including client-side GPU.

Browser Content Redirection is configured using Citrix Policies, in the User half, under the Multimedia category.

Browser Content Redirection is enabled by default, but only for the specified whitelist URLs (ACL Configuration). Note that wildcards can be used in the path, but not in the DNS name. To configure Microsoft Teams and GoToMeeting, see CTX238236 Browser Content Redirection: whitelisting websites.

Citrix Virtual Apps and Desktops (CVAD)  and XenDesktop 7.18 and newer have a setting named Browser Content Redirection Authentication Sites. Add URLs that are redirected from the main ACL URL. To configure Microsoft Teams and GoToMeeting, see CTX238236 Browser Content Redirection: whitelisting websites. Also see See CTX230052 How to Troubleshoot Browser Content Redirection.

Citrix Virtual Apps and Desktops (CVAD) and XenDesktop 7.17 and newer have a Blacklist setting. Any address added here will not be redirected to the client. You typically configure this setting to override the ACL setting (e.g. ACL setting has a generic URL, but the Blacklist has a more specific URL)

7.18 adds a Browser Content Redirection Authentication Sites setting. Configure a list of URLs that sites redirected via Browser Content Redirection can use to authenticate a user. E.g. iDP URLs.

Registry keys for Browser Content Redirection are detailed at Browser content redirection policy settings at Citrix Docs.

Bidirectional Content Redirection

You can redirect URLs from client to a published browser, or from VDA to the client. See Bidirectional content redirection policy settings at Citrix Docs for requirements and limitations.

  1. Make sure Local App Access is not enabled on the VDAs.
  2. Make sure a browser is published. Chrome and Edge require Workspace app 2106 and newer connecting to VDA 2106 and newer.
  3. Edit a GPO that applies to VDA users.
  4. Go to User Config | Policies | Citrix Policies and edit a Citrix Policy.
  5. Find the setting Allow Bidirectional Content Redirection and enable it (Allowed).

  6. In CVAD 2311 and newer, use the setting Bidirectional content redirection configuration to insert a JSON string containing the list of URLs to redirect from client or VDA. The older setting for Allowed URLs has been deprecated. See Bidirectional content redirection at Citrix Docs.

  7. Prior to CVAD 2311, also configure the Allowed URLs policy settings (VDA to client, or client to VDA) to indicate which URLs should be redirected in either direction.

    • VDA 2206 adds support for wildcards in the Allowed URLs to be redirected to Client policy setting, but not from Client to VDA.
    • VDA 2206 adds support for custom protocols other than HTTP and HTTPS in the Allowed URLs to be redirected to Client policy setting. These custom protocols don’t work from Edge/Chrome.
    • More details at Citrix Docs.
  8. In CVAD 2311 and newer, it is no longer necessary to configure Bidirectional Content Redirection on the client side. For older CVAD:
    1. Copy the receiver.admx file from Receiver 4.7 or newer to PolicyDefinitions (SYSVOL or C:\Windows\PolicyDefinitions).
    2. Edit a GPO that applies to client devices (endpoints).
    3. Go to User Configuration | Policies | Administrative Templates | Citrix Workspace | User experience.
    4. Double-click the setting Bidirectional Content Redirection.
    5. Enable the setting.
    6. In the Published Application field, enter the name of the Internet Explorer published application.
    7. In the Allowed URLs fields, configure the URLs you want to redirect in either direction.
  9. On the VDA, run one or more the following commands to register the browser add-on. Chrome and Edge require Workspace app 2106 and newer connecting to VDA 2106 and newer.
    "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regIE
    "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regChrome
    "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regEdge
    "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regall

  10. CTX232277 Unable to Logoff When Bidirectional Content Redirection is Configured says that the following registry value should be configured on the VDA. If you already have LogoffCheckSysModules, then add the below processes names to the existing value.
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
      • LogoffCheckSysModules (REG_SZ) = wfcrun32.exe,Concentr.exe,SelfServicePlugin.exe,redirector.exe
  11. In Workspace app 2106 and newer connecting to VDA 2106 and newer, do the following to enable redirection for Chrome and/or Edge:
    "%ProgramFiles(x86)%\Citrix\ICA Client\redirector.exe" /regChrome /verbose

  12. Chrome might display an Error indicating New extension added.

  13. For Internet Explorer, do the following:
    "C:\Program Files (x86)\Citrix\ICA Client\redirector.exe" /regIE

  14. When you run Internet Explorer on the VDA or client device, you’ll be prompted to enable the add-on. You can configure a GPO to enable this add-on automatically. Redirection won’t work unless the add-on is enabled.

Host to client Redirection

This feature causes Citrix VDA to redirect http links in applications to the client machine, so they are opened using the client’s browser. The feature is disabled by default.

James Rankin at Using host-to-client redirection in Citrix XenApp explains the feature in detail, including:

  • Limitations of the feature
  • Registry values to control the URL Schemes that can be redirect to the client
  • Group Policy and XML file to handle the File Type Associations in Windows 2012 and newer

Local App Access

Some applications are not suitable for centralization and instead should run on endpoint devices. These applications include: phone software, applications needing peripherals, etc. Citrix Local App Access lets you access these endpoint-installed applications from inside a published desktop. This is sometimes called Reverse Seamless.

Local App Access has three modes of functionality:

  • User-managed local applications. Any shortcuts in the endpoint’s local Start Menu and local Desktop are made available from inside the published desktop.
  • Administrator-managed local applications. Use Studio to publish a local application, which is created as a shortcut inside the published desktop. When the shortcut is launched, it is actually running from the endpoint device (reverse seamless) instead of the centralized desktop. If you enable administrator-managed local applications then user-managed local applications are disabled.
  • URL Redirection. Administrators define some URLs that should be opened in a local endpoint browser instead of a VDA browser, and then display the local browser inside the published desktop (reverse seamless).

Local App Access requires Platinum Licensing.

Do the following to configure Local App Access:

  1. In a Citrix Policy that applies to the VDAs, enable the Allow local app access policy setting. It’s in the Computer Half.
  2. The URL redirection black list setting lets you define a list of URLs that should be opened on the endpoint’s browser instead of the VDA browser. Alternatively, you can instead configure Bidirectional Content Redirection.
  3. On the Endpoints, install Receiver using the ALLOW_CLIENTHOSTEDAPPSURL=1 switch. Feel to add /includeSSON too. Run the installer from an elevated (Administrator) command prompt. This switch automatically enables both Local App Access and URL Redirection. Note: the URL Redirection code does not install on VDAs so URL Redirection might not work if your endpoint has VDA software for Remote PC.
  4. After installation of Receiver, launch Internet Explorer. You should see a prompt to enable the Citrix URL-Redirection Helper add-on.
  5. You can also go to Tools > Manage Add-ons to verify the Browser Helper Object.
  6. By default, Local App Access redirects the endpoint’s Start Menu and Desktop. You can control which folders are redirected by editing the endpoint’s registry at HKCU\Software\Citrix\ICA Client\CHS. You might have to create the CHS key. Create the Multi-String Values named ProgramsFolders and DesktopFolders, and point them to folders containing shortcuts that you want to make available from inside the published desktop.

  7. When you connect to a published desktop, by default, there will be a Local Programs folder in the Start Menu containing shortcuts to programs on the endpoint’s Start Menu. These are user-managed shortcuts. Note: Windows 8 and newer only supports one level of Start Menu folders. This means that all local shortcuts are placed into the single Local Programs folder without any subfolders.
  8. On the VDA Desktop there will be a Local Desktop folder containing shortcuts from the endpoint’s desktop. These are user-managed shortcuts.
  9. Note: the following doesn’t seem to work in LTSR 7.15. The VDA seems to overwrite these registry values.
    1. The Local Desktop and Local Programs folders on the VDA can be renamed by editing the VDA’s registry at HKCU\Software\Citrix\Local Access Apps. You might have to create the Local App Access registry key. Create String values ProgramsCHSFolderName and DesktopCHSFolderName as detailed at Citrix Docs.

  10. To enable administrator-managed local applications, login to a machine that has Citrix Studio installed, and edit the registry. Go to HKLM\Software\Wow6432Node\Citrix\DesktopStudio, and create the DWORD value named ClientHostedAppsEnabled, and set it to 1.
  11. When you open Studio, and right-click the Applications node, there is a new entry Add Local App Access Application.

    1. In the Getting Started with Local Access Applications page, click Next.
    2. In the Groups page, select the Delivery Group or Application Group whose published desktop will receive the shortcut, and click Next.
    3. In the Location page, enter the path to the executable. This is the path on the endpoint. Also enter a Working Directory. You can get this information from the properties of the shortcut on the endpoint device. Click Next.
    4. In the Identification page, enter a name for the shortcut, and click Next.
    5. In the Delivery page, these options work as expected. Click Next.
    6. In the Summary page, click Finish.
    7. If you open the Properties of the Local App, there’s a Limit Visibility page.
  12. When you login to the desktop, you’ll see the administrator-managed local application. If any administrator-managed Client Hosted Applications are delivered to the user, then the default Local Programs and Local Desktop folders no longer appear.
  13. To enable URL Redirection, login to the VDA, and run "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regall. This registers the browser helpers.

  14. In Internet Explorer, if you go to Tools > Manage Add-ons, you’ll see the Citrix VDA-URL-Redirection Helper add-on.
  15. From inside the published desktop, if you go to a website on the blacklist, the VDA browser will close and a local browser will open in Reverse Seamless mode. If you then go to a website that is not on the blacklist, the local browser will close and the VDA browser will open again.

Citrix TV – Local App Access in XenDesktop 7

Anonymous Apps

Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.6 and newer supports publishing apps to anonymous users. Edit the Delivery Group, and on the Users page, check the box next to Give access to unauthenticated (anonymous) users.

Anonymous Users are managed differently than regular Domain Users. See VDA Anon instructions for adding anon accounts, configuring session timeouts, and configuring local group policy.

Anonymous published apps should show up for all authenticated users. However, you can also create a StoreFront store that does not require any authentication.

Export/Import Published Applications

If your destination CVAD farm is version 2212 or newer with Web Studio, then you can use Citrix’s Automated Configuration Tool to export and import the configuration. See Citrix Docs PoC Guide: Automated Configuration Tool – On-Premises to On-Premises Migration


Related Topics

267 thoughts on “Published Applications”

  1. Hi Carl,

    is it possible to use a special folder redirection (SFR) for windows redirected folders (My Documents, Music, …)? We want to use it in Published Apps on VDI Desktops.


  2. Hello Carl. We have two Sites configured identically. One is in DC1 and the other is in DC2. We have a storefront web farm in DC1 and DC2. Each StoreFront farm connects to its local controllers in the DC it is located at, there is no mesh set up where the Storefront webs connect to a DDC in DC1 or DC2. Each StoreFront Web Farm in a DC is load balanced using F5 . Then each DC is load balanced using the F5 GTM (GSLB) feature. Since both Sites have the exact published application between the two, the apps will launch either from DC1 or DC2 while only displaying a single icon for each application. We can turn down the StoreFront Farms in a DC to prevent connections from Receivers in any of the DC sites. All that works but we have a need to turn down only one Application in a DC while the other applications in both DC’s are still live. The reason is when an update is deployed to a specific application (updating a VM Master) in a DC, the engineers want to perform a smoke test to confirm that everything is working like it did in Test. But to accomplish that, we need to figure out how to “turn down” the application in only ONE DC while it is still alive in the other. In our testing we tried using KEYWORDS but that only caused the Receivers to sometimes display the icon because of the global load balancing rules enabled.

    Given our design, is it even possible to “disable” an application(s) in one site while still providing active/active availability of all the other applications from both DC’s?

    Note: Each Storefront web farm is behind a DNS alias specific to each DC so a user could bypass the GSLB rules and go directly to a DC’s DNS alias and using Receiver for Web, launch an application only from that site.

    1. In DC1 you want to disable an app. If a user connects to StoreFront in DC1, you want the user to see the icon from DC2? If so, then you’ll need StoreFront to enumerate icons from both data centers.

      1. That was our thought as well and tested this. The problem is after a few receiver refreshes, the icon disappears because it connected to the DC1 SF server and the icon was hidden. Refreshing again, the icon re-appeared.
        Is there something further we might need to configure in SF with the Delivery controller section?

  3. Hi Carl,

    Virtual Apps 7.15 LTSR
    How can I publish content for UNC path to SMB share using the File Explorer from the Citrix servers and not the local Explorer? We do not want to use the local File Explorer because there are firewall rules blocking this from the client subnet.

    “You can also publish UNC paths, which are opened with local Explorer or local application.”



      1. Yes, we can. The only drawback to this, so far, is that we cannot drag and drop files from the local endpoint. Ideally, we would want users to be able to drag and drop folders and files from their endpoint. Can this be done? Sort of a way to hairpin around the firewall in the client office.

        What I have now is a setup as you described. Users launch the published content twice, to get two windows up. Now they can copy and paste between these two windows. They treat one as a Source window, and browse to their file on their desktop, in a shared drive, etc. They treat the other as the Destination window, and copy into this window from the source.

          1. Was able to copy/paste to and from the local endpoint’s desktop once I updated to VDA 1912 with WorkSpace App 1903. This should meet their needs. Thanks for the help, Carl!

    1. In studio publish windows explorer.
      On the same screen under where u selected windows explorer you will aurguments. Put in \\server\share

  4. Hey Carl,

    We are having problems opening excel files on a published desktop. We want to open those files on a published desktop with a published app (Excel) but we keep getting the error “Sorry we couldn’t find \\Client\C$\…”. I already tried to change the reg key “NativeDriveMapping to TRUE” with no luck.

    I made it work allowing the policy “Client Fixed Drives” but i don’t like this solution due that it’s sharing in the network my physical c$…

    Any advice of how to approach this issue? Thank you!

        1. Ryan,

          We found a registry setting that has cleared the issue for us.

          Path: HKLM:\SOFTWARE\WOW6432Node\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\ClientDrive

          Name: NativeDriveMapping

          Type: REG_SZ

          Value: TRUE

          Initially set with GPO, but eventually added it to the image.

  5. Hi Carl,we are facing issue in Server2016 VDa version 7.18, when user id aluching the apps getting pop up “how do you want to open this file”

  6. When configuring a DG with Set-BrokerAppEntitlementPolicyRule and SessionReconnection parameter to ‘SameEndpointOnly’ it implies that a same user account can run different instances of the same published app on a same session host from different endpoints. This will cause issues when that app opens same file handles for writing?

    1. Maybe. Apps should fail gracefully. Each session should have its own temp directory to mitigate this kind of problem.

  7. Hello Carl

    I am not able to copy text from my XenApp 6.5 Console to Citrix Cloud console 7.1X.
    I am trying to publish app in Citrix Cloud console but want to copy a URL path from my current XenApp 6.5 published app to Citrix Cloud “publish app manually” , but cant copy paste

    Any help appreciated ?

  8. Hi Carl,

    We have now updated our environment from Xenapp 7.15 (windows Server 2012) to Xenapp 1906 (windows Server 2016). We use published applications with FTA. We ran in some issues with some Windows 10 users, desktop shortcuts to files (Excel / PDF / etc. …) can no longer be opened. This ocurred after moving to the new environment. All Policies are the same. The error message states that the file \\ Client \ P $ \ …. can not be opened (which is obvious, because P: is a network share and not a local drive).
    The auto creation of client drives is disabled by policy.
    This Issue only affects the windows 10 clients… windows 7 clients are working fine.
    Do you know a way of fixing this error?

  9. Hi Carl. I’m having a lot of headache resolving this issue. Users get this error when they try to launch apps “unable to launch application contact your helpdesk with the following information: cannot connect to the citrix xenapp server. there is no citrix xenapp server configured on the specified address”.

  10. Hi Carl,

    I cannot disable session roaming for published applications from within a published desktop. I have tried using the BrokerEntitlement policy setting ‘SameEndpointOnly’, made sure the RDS setting “Restrict user to a single setting” is set to No, disabled Session reconnecting in Receiver, and even disabled Workspace Control altogether. Nothing seems to work. No matter what, the new session takes over the previously launched session. Of note however, is that it only seems to occur when the same user launches an application from the same Desktop terminal server. It’s almost as if it is using the Endpoint name as the user name and then disregarding any session sharing settings.

    We never had this problem in 7.6 I am desperate for a fix as this is preventing us from rolling out our new 7.15 LTSR farm.

  11. Carl, what app are you finding works for opening Pictures, JPG, TIF, PNG ? Now that we are on Server 2016 it defaults to Paint
    Appreciate any suggestions

    1. We use Infraview ( i_view64.exe ) it is light weight and works well….it does not cache any previously viewed images.

  12. Dear Karl is it possible to give users read only access to a published application and publish desktops without them being able to modify anything (that is view only rights) using xenapp 1903

    1. Are you asking about permissions inside Citrix Studio? I suspect you can create an administrator role and assign it to people.

      Or are you asking about a read-only session? If you build non-persistent machines, then when the user logs off, whatever changes were made by the user will be discarded.

      1. Hi Karl. I am asking about read only session. The users cannot modify anything. I am taking about Xenapp

        1. Then a non-persistent machine (e.g. MCS) is your best option.

          Another method of deleting changes at logoff is to configure a mandatory profile.

  13. Hello, in Citrix Studio 7.13 i actually created RDP app that directly goes to specific server (mstsc.exe /v:SERVER1). Users need to very often copy some files into that server, but it is not possible (ctrl+c / v not vorking, copy-paste not working) is there way how to do that? I thaught about access local files, is it possible turn it on at application or is it working only at desktops? Please help.

    Thank you

    1. VDA 1903 and CWA 1903 adds copy/paste of files for Citrix sessions. Not sure if it will double-hop into the RDP session.

      1. I installed new version (Citrix Workspace app on Notebook, but the situation is still the same. Still cannot copy files (tested on more Apps and also more Desktops). Is it necessary to setup some additional settings?

        Thank you

  14. Not sure this was in another comment or even still relevant for this version. But I publish urls in Studio and set icons/paths etc.
    For location i use:
    commandline argument: (url you want them to hit)
    Working directory:

    This lets me publish pages to specific groups using the clients browser.

  15. Hi Carl,

    Hope you are well.

    I need some help on below,

    1 – We have one application called – MS Access
    2 – We have two RDS servers (Server 1 & Server 2 )
    3 – There are two users accessing MS Access
    4 – Now I want when user A launch MS Access it should go to strictly Server 1.
    5 – Secondly, When User B launch MS Access it should go to Strictly Server 2.

    Note – I know in XA 6.5 it could achieve by creating Worker group. However In version 7.6. 0.5026 I am not finding an option to get this done. Tag option is not helping out though.

    Many Thanks

    1. You’ll need to upgrade to 7.15 to take advantage of the machine tagging and Application Group features.

  16. Hi Carl,

    Thank you for providing the great and detailed article. I would like to know if there is a way to fetch list of Delivery groups and published applications along with the server details similar to Xenapp. Please help me.

  17. Happy new year Carl..!

    I want to know how we can find the list of application available to any user; like we have option in XenApp65 “Application By User”


  18. I dont see the folder for VDARedirector.exe on the VDA. Its a Windows 7 VDA is this supported? I can see my local apps and I even published IE but when i do anything in IE it opens a new session of IE on the VDA and closes the local IE

  19. Hello Carl,

    Nice Article !

    Just a quick question. I’m publishing Adobe CC suite as seamless applications with Lingering activated on the Delivery group.

    When the application is closed, the session stay Active. I’ve already tried to Add the registry key LogoffCheckSysModules (

    After some investigation, Adobe CC let some process which display a window for the user. Is there a way to close them and make the lingering feature work smoothly ?

  20. Hi Carl, when we launch publish application using storefront 3.15 and XenApp 7.8 a login window appears again ask for username and password, please advise

    1. Are you doing Single Sign-on? Or is there a group policy setting to “Prompt for Password” when connecting to RDSH?

    2. There is a gpo that will force username and password when u launch a published app. This is not a citrix settiing. It’s a remote desktop gpo setting. Check domain gpo. Also check local gpo on the server vda.

      If though u login with username and password through storefront it will ask again on published apps if this Microsoft gpo is set.

  21. Hi Carl, i was followed the steps adding applications and adding policies but unfortunately when I click one of the application example: Notepad via <http: /Citrix/StoreWeb/>, it only read the apps but not displayed. how can I configure to be able to launch application successfully?. tnx

  22. Hello Carl,

    After readying your daily EUC updates, I start reading about the Bidirectional and Browsers redirection.
    It appears that Bidirectional content redirection is not something that is worth deploying If you can go above 7.15 that is.

    It appears that if you can go off the LTSR version and stay with Browser Redirection is the way to go and its for Chrome as well.

    I just don see any benefit to Bidirectional Content Redirection any longer(Unless you are on LTSR)?

    Would you agree that Browser redirection is a better choice if give the environment can support it?

    1. The idea of BCR is to reduce datacenter CPU by making the client do the CPU rendering.

      Yes, you currently have to upgrade to 1808 to get BCR, especially for Chrome.

  23. Hi Carl, do you think the Browser Redirection feature will be made available for XenApp 7.15 at any time? I would love to use this feature, but don’t want to leave the LTSR channel. Thanks.

  24. Hi Carl,

    I published app-V Packages from Network share on Citrix 7.15 environment. the application seems to be working fine for a couple of weeks of testing and all of a sudden the few apps stopped working for 1/7 Users who are testing these apps.


    The application Failed to Launch
    This may be due to a network failure.
    Error Code: 0x8ED0062A-00000057
    Error Code: 0x8ED00706-0000000E

    tried UPM Profile reset and it did not work.

    what to know how can i fix this issue.

    And i also want to know if you have any document to troubleshoot App-V issues in Citrix 7.x.

  25. Hi,

    Actually, i migrate my vcenter to a new vcenter with new storage, new dvswitch etc…
    However, i wan’t lose my XenApp Configuration (Machine Catalog, Delivery Group …)

    i must move all VDA, Machine Catalog, Delivery Group and create a new connection.

    How My Delivery group could know my new connection with new storage, new network without broke everything.

    What’s the procedure ?


    1. Delete all existing Catalogs. Create a new Hosting Connection for the new vCenter. Recreate the Catalogs using the new Hosting Resource. Add the new Catalogs to your existing Delivery Groups.

  26. Hi Carl – a quick question I hope. I have a customer with a vanilla XenApp 7.15 installation, 1 delivery group, 1 netscaler (12.x), 1 storefront (3.12) server. They have a corporate web page published app that is set to autolaunch when the user signs into the Netscaler Gateway/Storefront combo This works as intended, and the corporate web page published app is fully up and running in about 5 seconds from signing into the Netscaler/Storefront webpage. The problem: They don’t want their users to be able to launch any other published app on the webpage until the autolaunched corporate webpage published app is fully up and running. So what they are asking for is basically a 5-6 second delay so their corporate webpage is up and running before their users can launch anything else. I’ve been looking for ways to rig this up, but no luck so far. Any ideas? Odd question, I realize. Most companies want to get rid of any app launch delays. This company wants to insert one, but of course, only when the Netscaler/Storefront webpage comes up for the first time at login.



  27. Hi Carl

    i have published external website for training purpose. Anonymous users will be using this published app . Since i cannot bypass proxy i have created batch file to launch website. and having runas in the batch file.
    i am able to launch the application as computername\ anon000.
    next anonymous user is not able able to launch the application . it appears that when runas command starts it kills the session.
    is it possible to use runas ( same user multiple session same server )



  28. hellon Master!
    I am confused with “modeling terms”, i want to know if:
    “Hosted Shared” is the same of “Published Applications”

    1. “Hosted Shared” = RDSH (Microsoft Remote Desktop Session Host), which allow multiple users to connect to one virtual machine.

      This is different than Virtual Desktops, which only allow one user per virtual machine.

      You can publish apps from either, but usually from RDSH.

  29. Carl,
    Is there a way to allow an application to only be available external through Netscaler logon and not be available in the User desktop receiver? For instance, we want the application to be available for remote use only, but when logged onto the workstation we do not want the receiver to display the application? Are there any settings in Citrix 7.15 that will allow us to control the application access in this manner?

    1. Edit Delivery Group > Access Policy. There’s a checkbox for “All connections not through NetScaler Gateway”. You might have to enable SmartAccess for this to work. This is at the Delivery Group level, not at the individual app.

  30. Hi Carl,
    Happy New year, Need to know the Command to get the Group names associated with Application Name through Powershell Command

  31. I just upgraded to 7.15 and am working on setting up Application Groups and Machine Tagging.

    Previously, I had 3 delivery groups, one with 2 servers, and two with 1 server each. Applications were setup to each delivery group that hosted those applications.

    I have now changed it to one machine catalog with all of my XenApp servers in it, and a single delivery group. I have app-tagged each server that hosts each app and built application groups using those app-tags.

    Everything seems to be working just fine, but it looks like I lost almost all my File Type Associations. It seems to be looking at the first server in the Delivery Group for Associations, not the server that was tagged.

    Should I be setting up my Delivery Groups and Application groups differently? Or is this the expected result?

    My goal was to get Application session sharing between my Delivery Groups working and to clean up permissions.

  32. Hello Carl,
    Thank you for your Detailed articles and advices. You wrote “Local App Access requires Platinum Licensing”. I confirmed this information on Citrix website:

    I didn’t know about licensing requirement, so due to a custumer specific need, I started directly testing this feature and it seems working, I confirm I can see local programs and local desktop ! the problem is that we have Entreprise Licence only ( we have xenapp/xendesktop 7.8 version ).

    Could you please tell me what do you think about this ?

    Thank you.



  33. I have configured some Local Apps to be accessible in VDA. This is working fine, but I am not able to edit them. I have some “Delivery Group” selected then when creating it, but now I need to added some more.
    While trying to edit, all Delivery groups are grayed out. However when creating a new “Local App” entirely, I am able to select same groups which are being grayed-out when trying editing.
    This is not permission problem as I am performing both actions with same account.
    I am using “administrator-managed local applications” options.

  34. In using “Local App Access (Reverse Seamless)” we opted for “administrator-managed local applications” configuration. I observed however that the “Local Desktop and Local Programs” are still available but empty.

    Is there a way to render them invisible since they would not be use in any way.


  35. how to publish .bat files in 7.6 which used to run with .exe, in xa6.5 we configure it like this;- “C:\program files\apps\axis\local.bat” tool.exe

    how could I make this syntax in 7.6?

  36. Hi Carl

    I want to publish a server content in Google Chrome like “http://servername/lexica” and let startup the locally installed Chrome browser if installed.

    So I publish chrome.exe and keyword:prefer=”Google Chrome”. the command line parameter contains the “http://servername/lexica”.

    The browser opens locally but not with the URL mentioned in the parameter line. I couldn’t find anything. I tried with the old %1 or %* in the published line but * is not allowed.

    Any help is highly appreciated.


  37. Does XenApp 7.12 offers offline access? I need to deploy some apps where users will stay disconnected but still need access to the application and once connected, app will synchronize. I remember in the past there was something called Streamed Apps.

    Thx Carl

          1. Not in Citrix, no. They figured that App-V already does it so no point in Citrix doing it.

            Citrix also has a DesktopPlayer product that can run desktops offline.

  38. We are running XAXD712, After application installation on a 2012 RDSH VDA , all the application published from that server like note pad, calc gets access denied error ” the domain\user ” does not have acces

    1. Is the server locked down using GPO or similar? If so, you’ll have to look in Event Viewer > Windows Logs > Security to see what user right is missing. Or maybe procmon for access denied messages. Users also must be in Remote Desktop Users group.

  39. Good Morning Carl,

    I am aware that I can add another desktop for the same Environment, but it would have to be named differently and would be very confusing to our users who are not very sophisticated. Are you aware of any way to get v7.12 (or 7.13 – I have no issues upgrading) to get one icon to deliver multiple desktops to a single user. Seems like Citrix deprecated a very valuable function for some users and I cannot get Citrix support to provide a firm answer on this. Is this by design or just overlooked? If the function is never coming back, I would like to know so we can figure out how to move forward.

    Thanks for your input.

    Mike Altman

    1. Didn’t they show up with a :1, :2, etc? Maybe you can simulate something similar with the multiple published desktops.

  40. Hi Carl,

    Sorry I did not clarify. These are desktops. Apparently multiple sessions are not an issue for applications in 7.12. However, most everything we do are with desktops. To clarify further our Citrix support guy tells us that this function is by design and should not have worked in 7.6. However, it is clear form the posts around 7.6 – we are not the only users to get multiple sessions to work in 7.6. It’s just not clear why it would stop working.


    Mike Altman

  41. Hi Carl,

    Thanks for all your efforts to clarify Citrix. I could not do my job without them. I have an issue I am struggling with for some time. We have installed Citrix 7.12 in a Test ENV. We have been unable to open multiple sessions for a single user in this ENV. We did not have this issue with v7.6 provided we used -sessionreconnection – Disconnectedonly (which I got from your post). However this no longer works. Is there any info on this.

    Thanks in advance!!

  42. For large enterprise clients with perhaps hundreds of App V applications would you recommend creating the APP V infrastructure i.e. management console etc. or just use studio? I found publishing APP V apps in 7.9 a little “flaky” and resorted to the 3rd party app V launcher utility community version.

    1. Are you asking the PowerShell command to create a LAA? In Studio, after you create something, click the top left node, and then click the PowerShell tab. I see the following:

      New-BrokerApplication -ApplicationType “InstalledOnClient”

      1. Hello Carl,

        I need to publish a network share to 3rd party users using file explorer as a published app in XD 7.6.
        Ideally I need to lock down the network discovery of domain machines when the user hits network option. I did manage to hide the network icon using ADM template, however if the user hits back to the UNC path, he can reach the network location where he can see all the domain machines.(3rd party user has domain user access which brings him all the domain machine to be visible). Is there any way that I can disable address bar or loack down the file explorer to let them see only the folders?


        1. Citrix doesn’t offer anything to do this. I think AppSense does. Or you can put some VDAs in a firewalled security zone and only allow them to access certain other machines.

Leave a Reply

Your email address will not be published. Required fields are marked *