Configuring Persistent Applications for Citrix XenApp with Manually Launched Applications

This topic includes information about configuring Imprivata support for persistent applications in Citrix XenApp® published desktops.

The persistent applications feature enables published applications to remain running as a generic Windows user account or anonymously. It allows a user to launch their application with a generic user account but still allows the user to launch other applications as a named user.

  • A persistent application is automatically launched using generic user credentials when the endpoint computer starts.

  • The user can have an additional Citrix session authenticated under their own explicit credentials, in addition to the persistent app which is launched under generic credentials.

  • When a user closes a persistent application, it remains closed until the endpoint computer locks.

  • When the endpoint computer locks, the persistent application is automatically launched again so it is ready for the next user.

  • If the user closes the persistent application, it is automatically launched again when the endpoint computer is locked.

Supported Two-Factor Authentication Methods

The following two-factor authentication methods are supported when authenticating to the endpoint computer. The methods are listed as first factor plus second factor.

  • Fingerprint plus network password or PIN

  • Passive proximity card plus network password, PIN, or fingerprint

For a proximity card first factor, you can allow a limited user choice for the second factor, for example, network password or fingerprint.

For more information on authentication methods, see Enterprise Access Management SSO Authentication Methods.

Before You Begin

Review the following:

  • Verify that the Citrix XenApp environment is functioning normally, independent of Imprivata, before installing and configuring Imprivata components.

  • Review the Imprivata Enterprise Access Management with SSO Supported Components to confirm that your environment meets all of the minimum or recommended Citrix and endpoint device requirements.

Review the following:

  • Authentication Management, Single Sign-On and Imprivata Virtual Desktop Access licenses are required.

  • Supported on Windows endpoint computers.

  • The user must be part of the Imprivata Virtual Desktop Access policy.

  • A Single Sign-On profile created for the persistent application.

  • A log off sequence defined in the Single Sign-On profile for the persistent application.

  • Ticket authentication is required for the computer policy for the Citrix server that is delivering the published desktop.

When configuring a generic user account for a persistent application, it is recommended that the account be unique for each endpoint computer to which the persistent application is being delivered.

After installing Citrix Workspace app, additional configuration is required to support Enterprise Access Management.

If you have not completed the configuration, see Configuring Citrix Workspace App for Imprivata Enterprise Access Management.

To configure the Citrix Workspace app Fast Connect API for use with persistent applications:

  1. In the Group Policy Management Editor tree, select FastConnect API Support.

  2. In the details pane, double-click Manage Fast ConnectAPI support.

  3. In the Manage FastConnectAPI support window, select Enabled.

  4. In the Options pane, select:

    • Select Leave Apps Running On Logoff.

  5. Click OK.

Imprivata agents communicate with known Citrix stores. The URL required to configure the Imprivata agent connection to Citrix depends on how the Citrix store is configured:

  • Store URL – If the store is configured with a Store URL, the Imprivata agent communicates with Citrix using the respective Web Site URL.

    Example: If the store is configured with https://example.com/Citrix/SalesStore, then configure the Imprivata agent connection with https://example.com/Citrix/SalesStoreWeb.

  • XenApp Services URL – If the store is configured with a XenApp Services URL (the Storefront legacy URL or the Storefront URL), the Imprivata agent communicates with Citrix using the same XenApp Services URL.

    Example: If the store is configured with https://example.com/Citrix/SalesStore/PNAgent/config.xml, then configure the Imprivata agent connection with https://example.com/Citrix/SalesStore/PNAgent/config.xml.

Additional Citrix configuration is required to support native connections to Citrix StoreFront stores. The Citrix store must be configured with the following authentication methods to support Imprivata OneSign:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

Review the Expected User Workflow

The following illustrates the expected workflow when the Enterprise Access Management environment is configured for persistent applications.

In this workflow example, User A and User B are Imprivata Virtual Desktop Access users. User C is not part of the Imprivata Virtual Desktop Access policy.

  1. A Windows only endpoint starts and Enterprise Access Management starts a generic user session for the configured application.

  2. User A authenticates. The application session is still running as the generic user or anonymous account throughout User A's session.

  3. If profiled for Single Sign-On, for example Epic, Enterprise Access Management proxies the user credentials and the user is logged into the persistent application.

  4. Imprivata Virtual Desktop Access logs User A into Citrix Workspace app. All entitled user applications are delivered to the endpoint.

  5. The endpoint is locked due to inactivity or User A taps to lock the endpoint.

  6. User B authenticates. Imprivata Virtual Desktop Access detects the user switch and logs the user out of the persistent application.

    The Citrix session of User A is disconnected. The persistent application session continues to run as the generic user or anonymous account throughout the session of User B.

  7. User B works with the persistent application, closes it and then locks the workstation.

  8. Imprivata Virtual Desktop Access relaunches the persistent application.

  9. User C authenticates. Because User C is not part of the Imprivata Virtual Desktop Access policy, the persistent application closes.

Installation Sequence

Configuring the Imprivata agent connection to XenApp requires:

  • One or more Citrix store URLs.

  • The names of the published applications to make available as persistent applications.

To configure the connection:

  1. In the Imprivata Admin Console, go to the Computers menu > Virtual Desktops page > Citrix XenApp section.

  2. In the first field, enter a Store URL, Web Site URL or XenApp Services URL.

  3. From Authenticate using, select the type of credentials that apply to the applications on the specified server.

    NOTE:

    For persistent apps that will be launched under a generic user account, do not select Windows user credentials as the authentication method for the broker.

  4. Type the exact name of the XenApp published desktop application.

    Type the name with the same spelling, spacing, and capitalization as it appears in the Citrix Web Interface or Citrix StoreFront.

    1. Click Add to configure more published applications. For example, you can add applications to launch on the published desktop.

      NOTE:

      Take note of those application names that you wish to launch as persistent applications in Step 4a.

  5. Select Allow authentication from XenApp-enabled devices.

  6. Click Save.

After you configure the Imprivata connection to Citrix XenApp, create and apply a user policy to enable virtual desktop automation.

Step 2a: Create a User Policy

To create a user policy:

  1. In the Imprivata Admin Console, go to the Users menu > User policies page.

    You can select an existing user policy from the list, or make a copy of the Default User Policy as a starting point. If you want to edit an existing user policy, click the existing user policy name, and skip to step 5.

  2. To copy the Default User Policy, select Default User Policy, then click Copy.

  3. Click Default User Policy (2).

  4. Rename the user policy in the Policy Name field.

  5. Click the Virtual Desktops tab.

  6. Select Enable virtual desktop access automation.

  7. Select Automate access to apps or published desktops.

  8. Click Save.

Step 2b: Apply a User Policy

To apply the user policy:

  1. In the Imprivata Admin Console, go to the Usersmenu > Users page.

  2. Select the users to which you want to apply the user policy.

    You can view additional pages of the Users list without losing your selections. Imprivata keeps track of all the users you have selected and displays a counter at the top of the page.

    BEST PRACTICE: To select multiple users more efficiently, use the Search for Users tool at the top of the Users page. Search for Users offers several search parameters for refining your results.

  3. Click Apply Policy.

  4. Choose the policy from the drop-down list and click OK.

Create and apply a computer policy for endpoint computers that are supporting the published desktop application.

Step 3a: Create a Computer Policy for Endpoint Computers

To create the computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.

    You can select an existing computer policy from the list, or make a copy of the Default Computer Policy as a starting point.

  2. To copy the Default Computer Policy, select Default Computer Policy, then click Copy.

  3. Click Default Computer Policy (2).

  4. Rename the computer policy in the Name field.

  5. Go to the Shared Workstations tab > Kiosk Workstations section.

  6. Select Allow Fast User Switching with Citrix or Terminal Servers.

  7. Go to the Virtual Desktops tab > Persistent Applications section.

  8. In the left pane, select the Citrix XenApp applications to persistent between sessions.

    Click All to add all available applications, or None to clear all of the selections.

  9. Select the user account under which to launch the applications:

    1. To launch the persistent applications as a generic Windows user account, select Launch applications using the Windows user account.

      This account should be unique to each endpoint computer. If it is not unique, the users will see that the persistent application will roam.

    2. To launch the persistent applications as the anonymous user account, select Launch applications using the Anonymous user account.

    10. NOTE:

    If you are configuring persistent applications for use on IGEL thin clients, skip the next two steps. Any settings you specify in the next two steps are ignored and not implemented. That functionality is controlled within IGEL.

  10. Select the action to take when the computer is idle:

    1. Always persist application. When the computer is idle, the application persists.

    2. Persist application for up to X minutes/hours. When the computer is idle, the application persists for the specified amount of time.

  11. To restrict application persistence during specific times of the day, select Persist applications only during specified times and type the start and end of time ranges.

    If no time ranges are specified, the application will persist at all times.

    To create additional time ranges, click Add time range.

  12. Select the Citrix XenApp servers for this computer policy.

  13. Click Save.

Step 3b: Apply a Computer Policy to Endpoint Computers

Apply the computer policy you just created to endpoint computers.

Manually Assigning the Computer Policy

To manually assign the computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computers page.

  2. Select the computers to which you want to apply the computer policy. You can use Search for Computers to enter search criteria.

  3. Click Apply Policy.

  4. Select Choose a policy for the selected computers, select the policy from the list, and click Apply Policy.

Automatically Assigning the Computer Policy

Computer policy assignment rules let you assign a policy to existing endpoint computers and make sure that the policy is automatically assigned to endpoint computers that are added later.

To automatically assign a computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer Policy Assignment page.

  2. Click Add New Rule.

  3. Name the rule and select the assignment criteria.

  4. Select the policy you created and click Save.

BEST PRACTICE: When assigning a computer policy to ProveID Embedded thin clients only, select Imprivata agent type > ProveID Embedded.