Recently, Citrix announced an experimental new feature in Workspace Cloud Labs, the Browser Apps Service.

This new service allows you to easily deliver web applications via a hosted web browser to solve browser compatibility issues, increase security, or improve performance over high-latency connections.

So far, Citrix has received lots of positive feedback from our customers. But still, the number one question customers have asked is, “When is Citrix going to offer the Browser Apps Service as an on-premises product?” The answer: We already have. The Browser Apps Service runs completely on off-the-shelf Citrix technologies that you can buy today.

In this post, I’ll provide a behind-the-scenes look at how Citrix built the Browser Apps Service and how you can it to deliver a great user experience to your end users for hosted web apps.

It’s XenApp.

Under the covers, the Browser Apps Service is running the same XenApp technology we’re all familiar with. The Citrix Workspace Cloud operations team manages the service using the same Studio and Director you use today. VDAs are created with Machine Creation Services. Web applications are published using the publicly-available PowerShell SDK.

For the control plane, Citrix chose to use the hosted Applications and Desktops Service from Citrix Workspace Cloud. This ensures the service is kept evergreen with the latest fixes. and we can leverage new features like Azure VDA provisioning, which is currently only available via the Apps and Desktops service.

Citrix operations’ view of the Browser Apps Service
Citrix operations’ view of the Browser Apps Service

Seamless User Experience

One of the key goals of the service is to make the experience as seamless as possible for end users. A user’s workflow shouldn’t change when using a web app hosted by the Browser Apps Service—users should continue to enter a URL or click on a hyperlink as if they were accessing a regular web site, without being aware of what’s happening in the Browser Apps Service behind the scenes. To get this experience, Citrix uses a combination of features from XenApp, StoreFront, and the web browsers themselves.

Receiver for HTML5

Citrix wanted the web application to be displayed directly inside a tab of the user’s web browser, not as a separate window, and didn’t want the user to be prompted to install a client. To accomplish this, we use Citrix Receiver for HTML5. This Receiver is written completely in JavaScript and runs within any modern web browser, no installation required. To use it, simply configure a Receiver for Web site that always delivers apps using HTML5, or download the Receiver for HTML5 SDK and host it directly on a web page of your own.

Kiosk Mode

The Browser Apps Service is designed for delivering specific web application to end users, not for general-purpose web browsing. So, Citrix chose to hide the fact that we’re running a web browser inside of another web browser. Web browsers support a special kiosk mode that does exactly this: it runs a single web application in full-screen mode, without any navigation or menu bars. Launching a web browser in kiosk mode can be accomplished by adding command-line flags to the published application:

  • Google Chrome: chrome.exe –kiosk <URL>
  • Microsoft Internet Explorer: iexplorer.exe -k <URL>
Left: A typical published web browser running in Receiver for HTML5. Note the browser-within-a-browser. Right: The same published application with the --kiosk flag. The end-user experience looks similar to a native web application.
Left: A typical published web browser running in Receiver for HTML5. Note the browser-within-a-browser. Right: The same published application with the –kiosk flag. The end-user experience looks similar to a native web application.

Add Shortcuts to Websites

The next step in providing a seamless user experience is launching the app via a URL that can be e-mailed or embedded in other web pages, just like any other web application. If using StoreFront, Receiver for Web has a feature that allows you to create shortcut URLs that go directly to a specific application. The user doesn’t have to go through the normal process of browsing through apps or adding them to their favorites. From the Receiver for Web console, just click the “Add Shortcuts to Websites” task to get a URL that you can embed in another intranet site to provide direct access to that application.

Unauthenticated Users

Finally, users of the Browser Apps Service don’t have separate credentials. The web browser doesn’t run under any particular Active Directory user account, so Citrix leveraged the unauthenticated users feature introduced in XenApp 7.6. This feature creates a pool of local user accounts on each VDA, named Anon000 through Anon999, and users are temporarily assigned to one of these users for only the lifetime of their session.

The unauthenticated users feature is particularly useful when delivering web apps to client on the local intranet, as it allows the user to launch without any credential prompt. When creating the Delivery Group, simply check the box shown below, then create an unauthenticated StoreFront store to provide access to these applications.

Unauthenticated Users

Configuring Policies

In addition to simply running Internet Explorer or Chrome as a published app, numerous GPOs need to be set on the VDAs to provide a more secure environment and a good end user experience. The list below isn’t comprehensive, but provides some of the policies recommended for VDAs hosting a published web browser on a multi-session (Remote Desktop Services) environment.

Internet Explorer

Some of the default web browser settings aren’t suitable for a Browser Apps Service deployment, particularly on a Server OS.

\Policies\Administrative Templates\Windows Components\Internet Explorer
Policy Setting Comments
Prevent running First Run wizard
Go directly to home page
Enabled Prevents first run wizards of IE so page loads seamlessly to content
Turn off Automatic Crash Recovery Enabled Crash recovery breaks out of Kiosk mode with additional prompts we want to avoid
Turn off Reopen Last Browsing Session Enabled Ensures each session maintains a fresh appearance
Turn off Shortcut Menu Enabled Removes the right click menu from Internet Explorer
\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Policy Setting Comments
Turn off first-run prompt
First-Run Opt-In : Enabled
Enabled Automatically uses recommended settings if not already set up

Google Chrome

First, download and install the Google Chrome ADMX template.

\Policies\Administrative Templates\Google\Google Chrome
Policy Setting Comments
Continue running background apps when Google Chrome is closed Disabled Ensures we recycle resources of the browser session
Disable saving browser history Enabled Allow shared machines to isolate and restrict session contamination from other users actions
Specify a list of enabled plugins Enabled Enable the browser plugins you desire
\Policies\Administrative Templates\Google\Google Chrome\Password manager
Policy Setting Comments
Allow users to show passwords in Password Manager Disabled Prevents access to any passwords that may inadvertently be saved
Enable the password manager Disabled Turns off the ability to save passwords during your session

Build your own Browser Apps Service

The primary advantage of the Browser Apps Service is its simplicity. In seconds, you can go from a URL to a fully-functional hosted web browser with zero Citrix expertise. The Workspace Cloud operations team manages the infrastructure, including the VDA images hosting web browsers, patches and updates, and scales the infrastructure based on capacity demands.

However, the functionality itself is built on top of publically-available features in XenApp 7.6 and StoreFront 3.0. By using some of the tricks like kiosk mode and website shortcuts described above, you can offer end users the same seamless experience as the Browser Apps Service, using your existing XenApp infrastructure.