IT Support1709152897 Posted April 20, 2020 Share Posted April 20, 2020 Hi, We have a requirement to restrict copy/paste out of a session/remote app on non corporate machines. Is there a way to apply a policy based on a machine not being a on our domain? We are on 1909. Thanks Link to comment
0 CarlStalhood Posted April 20, 2020 Share Posted April 20, 2020 You can configure SmartAccess - https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-gateway-12/ Link to comment
0 IT Support1709152897 Posted April 20, 2020 Author Share Posted April 20, 2020 15 minutes ago, Carl Stalhood1709151912 said: You can configure SmartAccess - https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-gateway-12/ Thanks Carl. Do you need to push out the EPA client still for this, or is it now handled by the receiver? I imagine it wouldn't be pre-auth as i do my client checks at my saml IDP so not use EPA for a long time. Thanks Link to comment
0 CarlStalhood Posted April 20, 2020 Share Posted April 20, 2020 To detect corporate vs non-corporate, you'd need EPA scan with EPA agent. You can do it in a post-auth policy (Session Policy expression). Link to comment
0 IT Support1709152897 Posted April 20, 2020 Author Share Posted April 20, 2020 1 minute ago, Carl Stalhood1709151912 said: To detect corporate vs non-corporate, you'd need EPA scan with EPA agent. You can do it in a post-auth policy (Session Policy expression). Ok, thanks Carl, appreciated. Link to comment
0 Andy Vanderbeken Posted April 20, 2020 Share Posted April 20, 2020 4 hours ago, IT Support1709152897 said: Hi, We have a requirement to restrict copy/paste out of a session/remote app on non corporate machines. Is there a way to apply a policy based on a machine not being a on our domain? We are on 1909. Thanks Here's something to consider perhaps based on first hand experience: Last year I received this question as well from corporate management. After some research I implemented smart access but soon after that some additional and "exceptional" requests started coming in for a few specific external partner pc's that should be allowed after all. Soon after that the request came to allow to -by default- no longer allow people all people with internal company pc's to be able to do it but rather restrict it to only people that request permission (with a valid reason) After that the request came to allow a specific internal range of a subsidiary where different machines (windows and mac's) are randomly used by different persons. They need to have access. Finally some time later the request came for a few specific user that need to get this functionality regardless of which machine they are using. So eventually I realized I had to come up with a design model that allowed granular control over all of these scenario's and still provide certainty that no 'overlooked' situations could accidentally still have access where they shouldn't, both for internal or external machines, regardless whether through a full vpn or Citrix sessions through Netscaler gateway. To design a fitting solution for all of these possibilities for once and for all I ended up chosing to apply a full deny of this functionality in my Virtual apps default policy (last priority) and then 3 exceptional policies with a higher priority based on respectively "client (machine) name", Client ip (range) and "User or Group" name. Ever since I never have had to adjust the design again no matter what additional requests came in. Link to comment
0 IT Support1709152897 Posted April 20, 2020 Author Share Posted April 20, 2020 19 minutes ago, Andy Vanderbeken said: Here's something to consider perhaps based on first hand experience: Last year I received this question as well from corporate management. After some research I implemented smart access but soon after that some additional and "exceptional" requests started coming in for a few specific external partner pc's that should be allowed after all. Soon after that the request came to allow to -by default- no longer allow people all people with internal company pc's to be able to do it but rather restrict it to only people that request permission (with a valid reason) After that the request came to allow a specific internal range of a subsidiary where different machines (windows and mac's) are randomly used by different persons. They need to have access. Finally some time later the request came for a few specific user that need to get this functionality regardless of which machine they are using. So eventually I realized I had to come up with a design model that allowed granular control over all of these scenario's and still provide certainty that no 'overlooked' situations could accidentally still have access where they shouldn't, both for internal or external machines, regardless whether through a full vpn or Citrix sessions through Netscaler gateway. To design a fitting solution for all of these possibilities for once and for all I ended up chosing to apply a full deny of this functionality in my Virtual apps default policy (last priority) and then 3 exceptional policies with a higher priority based on respectively "client (machine) name", Client ip (range) and "User or Group" name. Ever since I never have had to adjust the design again no matter what additional requests came in. Thanks for your input. I was thinking about this way as well, as least for the short term until Corona is over. I'd be a bit concerned about implemented EPA when all our staff are WFH! Will need to think about how i can do this when staff are on VPN, but using remote app. Link to comment
0 Andy Vanderbeken Posted April 20, 2020 Share Posted April 20, 2020 that's the beauty of this model. As long as you don't provide their software as locally installed onto the local machines but rather force users to have to go through Citrix virtual app or desktop sessions these policies will apply to them always and under all circumstances and scenario's. This way you control and contain all. Link to comment
Question
IT Support1709152897
Hi,
We have a requirement to restrict copy/paste out of a session/remote app on non corporate machines. Is there a way to apply a policy based on a machine not being a on our domain?
We are on 1909.
Thanks
Link to comment
7 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now