Organizations need employees to be productive, no matter where they’re working from or what device they’re working on. At the same time, they need to ensure secure access to corporate resources and that potential threats are managed to protect the organization. Adaptive access is a key pillar for implementing a zero trust network access framework.

That’s why we’re pleased to announce adaptive access based on network location for Citrix Workspace is now generally available. Now, IT admins can enable adaptive access to Citrix Virtual Apps and Desktops accessed through Citrix Workspace based on network location, the public IP address from which a user tries to access Citrix Workspace.

With this adaptive access, based on network location, IT admins can control:

  • Which apps or desktops users can access based on their location (enumerate selective applications).
  • How users interact with an app or desktop (user access filters). Admins can enable/disable clipboard access, USB drive mapping, and printer access for users not on the corporate network.

Citrix Virtual Apps and Desktops service customers using Citrix Workspace can implement location-based adaptive access independent of the authentication method.

In this blog post we will provide you insights on configuration of network-based adaptive access for a user who works from home and a branch office.

Please note, we recommend trying this in a test/dev (non-production) environment. If a test/dev account is not available, create a test delivery group with limited number of users.

Plan the adaptive access policy per your requirements: Create delivery groups for each type of user location and assign the applications and user access filters to each delivery group. Here’s an example

Delivery Group Applications and Desktop Access Network Type
Deliverygroup_BranchOffice Putty,SAP,JIRA,Concur,salesforce,sharefile Full access Internal
Deliverygroup_Remote Chrome, Teams, Outlook, Word, Excel No clipboard access, no download access External

Configure the network locations: Network locations are IP address ranges of your user locations. Define the network locations from which the users should have more privileged access rather than defining all the networks.

Let’s look at each option on the “Edit a Network Location” screen:

  • Location name: Provide the name of your user network.
  • Public IP address range: Specify the public IP range of the network that internal users will connect from.
  • Location tag: This is used to configure adaptive access for Citrix Virtual Apps and Desktops in Citrix Studio. You must add the suffix “LOCATION_TAG_” to the location tag name to configure location-based policies on Citrix Web Studio. For example, if you have defined a network location with tag “BranchOffice,” use the name “LOCATION_TAG_BranchOffice” when configuring the filter option on Studio policy.
  • Connectivity type: Currently, the network location is used for direct workload connections. Any network location you define tries to bypass the Citrix Gateway and form a direct connection with the VDA. Choose whether the defined user location is internal (bypass Citrix Gateway) or external (use Citrix Gateway)

Check out our network location configuration documentation for more information.

Configure Adaptive Access Policy for Citrix Virtual Apps and Desktops: For each delivery group add the location tags as filters in the access policies, as shown below. Applications in this delivery group are enumerated to users only when they log in from a public IP address range the location tag is part of.

Similarly add the location tags as “Access Condition” in the access control policy. With this access control, restrictions are enforced when users log in from a public IP address range that the location tag is part of.

Now, adaptive access for Citrix Virtual Apps and Desktops based on network location is complete, making it easier for IT admins to keep corporate resources secure and to keep users productive. You can learn more about adaptive access to Citrix Workspace based on network location here and get started.