deviceTRUST 25.3 for Windows, macOS, Ubuntu and eLux are now available.
×

Getting Started for Local

deviceTRUST requires some simple but essential configuration steps to be performed to enable deviceTRUST functionality for your local devices. We will guide you step-by-step through simple deviceTRUST installation and configuration steps to enable deviceTRUST with an unauthorized USB drives use case for your local devices.

Local Scenario
Local Scenario

We will perform the following steps:

  1. Step 1: Download the deviceTRUST setup binaries
  2. Step 2: Install the deviceTRUST Agent
  3. Step 3: Install the deviceTRUST Console
  4. Step 4: Enter your deviceTRUST License
  5. Step 5: Create and apply a file based configuration
  6. Step 6: Test the Unauthorized USB Device use case

Step 1: Download the deviceTRUST setup binaries

The latest deviceTRUST software can be found on our Download page and your personalized license can be found within your product license certificate.

Step 2: Install the deviceTRUST Agent

Start the installation of the deviceTRUST Agent on your local device. Follow the steps in the section Installing the Agent to complete the installation.

Step 3: Install the deviceTRUST Console

To configure and to apply contextual security policies to the deviceTRUST Agent you need to use the deviceTRUST Console. The deviceTRUST Console supports various ways to provide the contextual security policies to the deviceTRUST Agent. Those options are using the Local Policy Editor, a Group Policy Object (GPO) or file-based.

Within the Getting Started Guide, for simplicity, we use the Local Policy Editor to quickly and efficiently create, edit, and use contextual security policies. Follow the steps in the section Installing the Console to complete the installation.

The deviceTRUST Console includes a node within the Local Policy Editor COMPUTER CONFIGURATION\DEVICETRUST CONSOLE which can be used to model the context of a user, and then act on changes to that context by triggering custom actions within your environment.

The deviceTRUST Console
The deviceTRUST Console

Step 4: Enter your deviceTRUST License

Adding a deviceTRUST license is only necessary in a non CVAD environment.

To add the license into the deviceTRUST contextual security policy open the Local Policy Editor and navigate to DEVICETRUST CONSOLE and click on the LICENSED FOR CITRIX link on the homepage.

Unlicensed deviceTRUST
Unlicensed deviceTRUST

Dependent on your license, your individual deviceTRUST license can be found in your MyCitrix Portal.

deviceTRUST license in Citrix Portal
deviceTRUST license in Citrix Portal

Enter your deviceTRUST license and make sure it is valid. Close the license editor with OK and click on SAVE TO LOCAL COMPUTER POLICY in the top right toolbar.

Licensing deviceTRUST
Licensing deviceTRUST

deviceTRUST is now enabled and will work for all users except local administrators connecting to that remoting or DaaS host system with deviceTRUST Agent installed. To check if you have added a valid deviceTRUST license, open the Windows Event Log and navigate to APPLICATION AND SERVICE LOGS\DEVICETRUST\ADMIN and check for the existence of event ID 11 which states that your deviceTRUST license is valid.

Valid deviceTRUST License
Valid deviceTRUST License

Step 5: Create and apply a file based configuration

We will use the deviceTRUST Console to create a contextual security policy that makes access to the session dependent on whether the USB device being used has been authorized. The deviceTRUST Console includes a set of use cases which can be used to quickly implement a use case. Launch the deviceTRUST Console and create a New Policy.

Select Sharing top right and click Import Template, Local, Unauthorized USB Device, Unauthorized USB Device and confirm with Import Template at the bottom.

Unauthorized USB Device Use Cases Template
Unauthorized USB Device Use Cases Template

A confirmation of the successful import apears, confirm with OK.

At the top of the console you´ll find the count of configured Context, Actions, Messages, Settings.

Select Context, Unauthorized USB Device and click on the 3rd white property box Local / Logical Disk / Identity / None of.

Property dialog box for Logical Disk Identity
Property dialog box for Logical Disk Identity

Add allowed USB drives line by line, other USB drives will be seen as unauthorized, and confirm with OK.

Select Actions and see one active (Unauthorized USB Device Notification) and one disabled (Unauthorized USB Device - Enforcement) action. Depending on whether you only want to inform about the execution of the policy or block access, select what should be active using the Enable/Disable toggle on the right side of the respective action.

The Unauthorized USB Device use cases Actions within the deviceTRUST Console
The Unauthorized USB Device use cases Actions within the deviceTRUST Console

Save the policy whether as Local Policy or File-Based Policy. Check Policy Loading to find the correct folder to save file-based policies.

Step 6: Test the Unauthorized USB Device use case

Sign in with a non-administrative user account to the local device and then plug in an authorized USB device at runtime. The authorized USB device is displayed in Windows Explorer and can be used. Now plug in an unauthorized USB device in addition or exclusively to see how deviceTRUST can easily and dynamically control access to the session depending on the USB device in use.

Testing the Unauthorized USB Device use case
Testing the Unauthorized USB Device use case

Troubleshooting

If your deviceTRUST installation or configuration does not work as expected, you can use the Troubleshooting guide to start troubleshooting.