With the increased popularity of mobility, hybrid work, and bring-your-own-device (BYOD) initiatives, the IT risk profile has changed. At Citrix, we constantly strive to make our products even more secure. Whether it’s providing security controls for Citrix Virtual Apps and Desktops administrators with offerings like app protection, or enhancing the architecture of our products, security has always been our guiding principle.

Today, we are announcing a preview of an important architecture change to the way Citrix Workspace app for Windows handles ICA files during the launch of a virtual app or desktop. To reduce the attack surface, ICA files from Citrix Workspace app for Windows will now be stored in memory.

Below is a graphic depiction of the launch of an ICA file in Citrix Workspace that is now stored in memory.

This change is currently in preview. ICA files will be stored on memory by default once this feature is generally available. We encourage you to test a preview by enabling the following registry toggle on Citrix Workspace app 2106 for Windows.

Admin – Computer\HKEY_LOCAL_MACHINE\SOFTWARE\[WOW6432Node]\Citrix\Dazzle

User – Computer\HKEY_CURRENT_USER\SOFTWARE\Citrix\Dazzle

Add the registry EnableIcaFileInMemory and set the value to “True”

That’s it! As you launch your next virtual app or desktop from Citrix Workspace app, the ICA file will now be even more secure. Admins can also control the ICA file downloads when Citrix Workspace is accessed via the web.

You can also take additional measures to ensure that sessions are launched only using ICA files stored on system memory:

  • You can block session launches from ICA files that are stored on the local disk using the Group Policy Object (GPO) Administrative template on the client.
    • Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
    • Under the Computer Configuration node, go to Administrative Templates → Citrix Components → Citrix Workspace → Client Engine.
    • Select the Block Direct ICA File Launches policy and set it to Enabled.
    • Click Apply and OK.
  • You can block session launches from ICA files that are stored on the local disk using the Global App Config Service. To do so, set the Block Direct ICA File Launches attribute to True. For more information about Global App Config Service, see the Global App Config Service documentation.
  • You can disallow ICA File downloads to the local disk from Workspace for Web by executing the PowerShell module & instructions available here.

We would love to get your feedback on this preview. Please let us know about your experience in this form. And stay tuned for more updates on Citrix Workspace app for Windows coming soon!