Getting Started for Remote
deviceTRUST requires some simple but essential configuration steps to be performed to enable deviceTRUST functionality for your remote environments. We will guide you step-by-step through simple deviceTRUST installation and configuration steps to enable deviceTRUST with a simple use case within your remote environment.
We will perform the following steps:
Option 1: Citrix installation packages
1.1: Download the Citrix product software
The deviceTRUST software is included from Citrix Virtual Apps and Desktop 7 2503.
Follow the VDA installation guide to get the right version.
Step 1.2: Install Citrix deviceTRUST
In the VDA Setup Wizard, Citrix deviceTRUST is part of the Optional Software:
Check the box and proceed with the installation.
Step 1.3: Install the deviceTRUST Console
To configure and to apply contextual security policies to the deviceTRUST Agent you need to use the deviceTRUST Console. The deviceTRUST Console supports various ways to provide the contextual security policies to the deviceTRUST Agent. Those options are using the Local Policy Editor, a Group Policy Object (GPO) or file-based.
The latest deviceTRUST console can be found on our Download page. Download the full binaries and just use the console installation file.
Within the Getting Started Guide, for simplicity, we use the Local Policy Editor to quickly and efficiently create, edit, and use contextual security policies. Follow the steps in the section Installing the Console to complete the installation.
The deviceTRUST Console includes a node within the Local Policy Editor COMPUTER CONFIGURATION\DEVICETRUST CONSOLE which can be used to model the context of a user, and then act on changes to that context by triggering custom actions within your environment.
Step 1.4: Enter your deviceTRUST License
Adding a deviceTRUST license is only necessary in a non CVAD environment.
For a CVAD environment, Citrix deviceTRUST is now enabled and will work for all users except local administrators connecting to that remoting or DaaS host system with Citrix deviceTRUST Agent installed. To check if a valid deviceTRUST license is applied, open the Windows Event Log and navigate to APPLICATION AND SERVICE LOGS\DEVICETRUST\ADMIN and check for the existence of event ID 11 which states that your deviceTRUST license is valid.
Step 1.5: Install the deviceTRUST Client Extension on a Microsoft Windows device
Follow the information on Installation Client Extension page.
Option 2: Manual installation
Step 2.1: Download the deviceTRUST setup binaries
The latest deviceTRUST software can be found on our Download page.
Step 2.2: Install the deviceTRUST Agent
Start the installation of the deviceTRUST Agent on your remoting or DaaS host system, which can be Citrix Virtual Apps and Desktops (CVAD), or Microsoft Remote Desktop Session Host (RDSH) . Follow the steps in the section Installing the Agent to complete the installation.
Step 2.3: Install the deviceTRUST Console
To configure and to apply contextual security policies to the deviceTRUST Agent you need to use the deviceTRUST Console. The deviceTRUST Console supports various ways to provide the contextual security policies to the deviceTRUST Agent. Those options are using the Local Policy Editor, a Group Policy Object (GPO) or file-based.
Within the Getting Started Guide, for simplicity, we use the Local Policy Editor to quickly and efficiently create, edit, and use contextual security policies. Follow the steps in the section Installing the Console to complete the installation.
The deviceTRUST Console includes a node within the Local Policy Editor COMPUTER CONFIGURATION\DEVICETRUST CONSOLE which can be used to model the context of a user, and then act on changes to that context by triggering custom actions within your environment.
Step 2.4: Enter your deviceTRUST License
Adding a deviceTRUST license is only necessary in a non CVAD environment.
To add the license into the deviceTRUST contextual security policy open the Local Policy Editor and navigate to DEVICETRUST CONSOLE and click on the UNLICENSED link on the homepage.
Dependent on your license, your individual deviceTRUST license can be found in your MyCitrix Portal.
Enter your deviceTRUST license and make sure it is valid. Close the license editor with OK and click on SAVE TO LOCAL COMPUTER POLICY in the top right toolbar.
deviceTRUST is now enabled and will work for all users except local administrators connecting to that remoting or DaaS host system with deviceTRUST Agent installed. To check if you have added a valid deviceTRUST license, open the Windows Event Log and navigate to APPLICATION AND SERVICE LOGS\DEVICETRUST\ADMIN and check for the existence of event ID 11 which states that your deviceTRUST license is valid.
Step 2.5: Install the deviceTRUST Client Extension on a Microsoft Windows device
Within the Getting Started Guide, for simplicity, we will only install the deviceTRUST Client Extension on a Microsoft Windows device. Other device operating systems are also supported and an overview of how to install the deviceTRUST Client Extension on the particular operating system can be found on the Installation Client Extension page. Now follow the steps in the section Installing the Client Extension on Microsoft Windows device to complete the installation.
Set up a simple use case
Step 1: Create and apply a file based configuration
We will use the deviceTRUST Console to create a contextual security policy which controls access to the session depending upon the compliance state of the remote device. The deviceTRUST Console includes a set of use cases which can be used to quickly implement a use case. Launch the deviceTRUST Console and create a New Policy.
Select Sharing top right and click Import Template, Compliance Check, Compliance Check and confirm with Import Template at the bottom.
A confirmation of the successful import apears, confirm with OK.
At the top of the console you´ll find the count of configured Context, Actions, Messages, Settings.
Select Actions and see one active (Compliance Check - Conditional Access - Notification) and one disabled (Compliance Check - Conditional Access - Enforcement) action.
Depending on whether you only want to inform about the execution of the policy or block access, select what should be active using the Enable/Disable toggle on the right side of the respective action.
Save the policy whether as Local Policy or File-Based Policy.
Check Policy Loading to find the correct folder to save file-based policies.
Step 2: Check the access to your VDA when the deviceTRUST Client Extension is not installed
From a device without the deviceTRUST Client Extension installed, connect to your VDA. Because the remote device does not have an active deviceTRUST Client Extension, you´ll get a response according to your active Action, like the access will be denied with the following message:
Step 3: Test the Compliance Check use case from a Microsoft Windows device
From a Microsoft Windows device with the deviceTRUST Client Extension installed, connect to your VDA. Toggle the state of the Windows Defender Firewall to see how deviceTRUST can simply and dynamically control access to the session depending on the firewall state of the remote device.
Troubleshooting
If your deviceTRUST installation or configuration does not work as expected, you can use the Troubleshooting guide to start troubleshooting.