Configuring Citrix Virtual Apps and Desktops Virtual Channel Security
Citrix Virtual Apps and Desktops contains a policy titled
Virtual channel allow list which controls the processes which are able to open a virtual channel. When
enabled, all processes except the Citrix internal virtual channels must be declared. Additional entries are required for the deviceTRUST Agent to be able to connect to the deviceTRUST Client.
- With Citrix Virtual Apps and Desktops CR 2109 or LTSR 1912 CU4 or later, the default value is
- With previous releases of Citrix Virtual Apps and Desktops, the default value was
There are two options to configure the virtual channel allow list for enabling deviceTRUST in a Citrix Virtual Apps and Desktops environment:
- Allowing all Citrix virtual channels plus the deviceTRUST virtual channel
- Allowing all virtual channels.
The first is the recommended solution, as it complies with Citrix’s idea of virtual channel security. However both approaches are described here.
Both settings need to be set on the VDA level. The required configuration can be found in the Citrix farm policies. The setting’s name is
Virtual channel allow list.
Allowing all Citrix virtual channels plus the deviceTRUST virtual channel
We recommend configuring the deviceTRUST virtual channel explicitly. Doing so will comply with Citrix’s concept of securing the virtual channel feature whilst allowing deviceTRUST to establish its connection between the deviceTRUST Agent and Client. Doing so requires the following steps:
- Explicitly enable the
Virtual channel allow listpolicy setting
- Add the following deviceTRUST virtual channel and process names to the allow list
- If you use additional virtual channels for other functions, these need to be added explicitly as well.
- If you are using only deviceTRUST 21.1, then you can remove the entry 'DEVTRST,C:\Program Files\deviceTRUST\Host\Bin\dthost.exe'.
Allowing all virtual channels
A fallback option would be to simply allow all virtual channels to be established. This will work from a technical perspective. It will however work around the security measures Citrix introduced with the 2109 release.