Dealing with Citrix ADMX files can be confusing. But there is hope on the horizon. It looks like Citrix finally got it under control.
The issue
Prompts subscribers to detect a locally installed version of Citrix Workspace, or to use Citrix Workspace for HTML5 in their browser where possible. For the In a native app and Let users choose options, there is an additional check box option to guide users to install the latest version of Citrix Workspace if a local app can’t be detected. Citrix won't maintain the receiver for further versions, the receiver 12.9.1 will obviously the last version. The receiver has been replaced by Citrix Workspace App, the current version is Citrix Workspace app 1809. Download this version from the Citrix website and install it. The new app will automatically replace the receiver app.
The implementation of Citrix ADMX files has been a bit chaotic so far. Remember this view? A tad bit messy I would say.
Your central ADMX repository contained the following five Citrix ADMX files:
- ctxprofile5.x.0.admx
- ica-file-signing.admx
- HdxFlash-Client.admx
- receiver.admx
- receiver_usb.admx
These files were clearly not in sync with one another.
The solution
It seems that Citrix also realized that the above structure was not the way to go, so they implemented something new.
You now only need three ADMX files (+ corresponding language files of course):
- ctxprofile5.6.0.admx
- CitrixBase.admx*
- receiver.admx**
*This file is new. It only has one purpose, which is to define the shared 'Citrix Components' folder in the Group Policy editor.
**This file belong to Citrix Receiver 4.6
The following ADMX files have now been merged in the new 'receiver.admx' file:
- HdxFlash-Client.admx
- ica-file-signing.admx
- receiver_usb.admx
There is more than one way how to get these new ADMX files:
- Citrix Receiver - CitrixBase.admx and receiver.admx:
- Download the ADMX files as a stand-alone package in the section Download for Admins (Deployment Tools): Receiver 4.6 for Windows
- Download and install Receiver and than copy the files from the Citrix Receiver installation directory: C:Program Files (x86)CitrixICA ClientConfiguration
- Citrix User Profile Manager - CitrixBase.admx and ctxprofile5.6.0.admx:
- Download the software User Profile Manager 5.6 in the section Components that are on the product ISO but also packaged separately.
Extract the ZIP file:- The ADMX file for the User Profile Manager is located in the directory:
Group Policy Templatesen - The ADMX file CitrixBase is located in the following directory:
Group Policy TemplatesCitrixBase
- The ADMX file for the User Profile Manager is located in the directory:
- Download the XenDesktop 7.12 ISO file in the section Product ISO.
Extract the ISO file:- The ADMX file for the User Profile Manager is located in the directory:
x64ProfileManagementADM_Templates - The ADMX file CitrixBase is located in the following directory:
x64ProfileManagementADM_TemplatesCitrixBase
- The ADMX file for the User Profile Manager is located in the directory:
- Download the software User Profile Manager 5.6 in the section Components that are on the product ISO but also packaged separately.
| Update (16.02.2017): In XenDesktop 7.12 the new CitrixBase.admx is also available for Citrix FAS (Federated Authentication Service). To get the ADMX files you have to first install the FAS component. By default, the ADMX and ADML files are located in the directory C:Program FilesCitrixFederated Authentication ServicePolicyDefinitions. Please see the article Citrix Federated Authentication Service (SAML) written by Carl Stalhood on how to install and configure FAS. As far as I can tell the latest version of Citrix Sharefile does not include the unified CitrixBase.admx file yet. There is a 'base ADMX' file for ShareFile itself though; the file ShareFile.admx. The ADMX files ShareFileDriveMapper.admx and ShareFileSync.admx both use the ShareFile.admx base file. The ADMX files for ShareFile On-Demand Sync for XenApp and Desktop and ShareFile Sync for Windows are identical and can be downloaded here and here. The ADMX file for ShareFile Drive Mapper can be downloaded here. The ADMX file Citrix Workspace Environment Management Agent Host Configuration v4.0.admx for Citrix Workspace Environment Management also does not yet support the CitrixBase.admx file. The file name does contain a nice typo though (Citrix Worskpace Environment). To get the ADMX files, download and extract the ZIP file containing the installation sources. The ADMX and ADML files are located in the subdirectory Configuration ADM - ADMX. Update (21.02.2017): |
The remainder of this paragraph explains how to update the central ADMX repository in your domain.
- Central ADMX repository:
%LogonServer%sysvol#DomainName#PoliciesPolicyDefinitions - Central ADMX repository for the language files:
%LogonServer%sysvol#DomainName#PoliciesPolicyDefinitions#language-country#
- Delete the old Citrix ADMX language files (= *.ADML) from the repository:
- ctxprofile5.x.0.adml (replace the 'x' for the correct version)
- ica-file-signing.adml
- HdxFlash-Client.adml
- receiver.adml
- receiver_usb.adml
- Delete the old Citrix ADMX files from the repository:
- ctxprofile5.x.0.admx (replace the 'x' for the correct version)
- ica-file-signing.admx
- HdxFlash-Client.admx
- receiver.admx
- receiver_usb.admx
- Copy the new Citrix ADMX language files (= *.ADML) to the repository:
- ctxprofile5.6.0.adml
- CitrixBase.adml
- receiver.adml
- Copy the new Citrix ADMX files to the repository:
- ctxprofile5.6.0.admx
- CitrixBase.admx
- receiver.admx
And now you are done. If you would like to test the ADMX files before updating the central ADMX repository you can use the local ADMX repository on a server:
- Copy the ADML and ADMX files to the local ADMX repository (C:WindowsPolicyDefinitions)
- Open the local group policy console go to Start, Run and enter the command gpedit.msc. You will now see the new ADMX files.
Note: your group policy settings are NOT affected when you update ADMX files. Your settings are stored in different files within the group policy:
- Registry.pol -> contains group policy settings
- *.xml (e.g. Files.xml) contains your group policy preference settings
- Policies.gpf -> contains the settings of your Citrix policy (NOT the once based on an ADMX file)
The path to your group policy is as follows:
%LogonServer%sysvol#DomainName#Policies#PolicyGUID#
The result
The group policy console now looks like this:
Most items are now stored under Citrix Components, except for the Workspace Environment Management and ShareFile policies. Still, it is quite an improvement I would say.
I am happy with the progress Citrix made. But since I am a bit of a stickler, I still see room for improvement. For example, the name of the ADMX file should always start with 'Citrix' in my opinion. This makes it a lot easier to identify all Citrix-related ADMX files in the central repository. Also, the first letter of the ADMX file should start with a capital letter, but now I am nitpicking.
Citrix Workspace Replace Receiver Windows 10
Description of Problem
Vulnerabilities have been identified in Citrix Workspace app and Citrix Receiver for Windows that could result in a local user escalating their privilege level to administrator during the uninstallation process.
The issues have the following identifiers:
CVE-2020-13884
CVE-2020-13885
These vulnerabilities affect supported versions of Citrix Workspace app for Windows before 1912 and supported versions of Citrix Receiver for Windows.
These vulnerabilities do not affect Citrix Workspace app and Receiver on any other platforms.
What Customers Should Do
Citrix strongly recommends that customers upgrade to Citrix Workspace app version 1912 or later. Customers using Citrix Receiver are strongly recommended to upgrade to Citrix Workspace app. Customers using Citrix Receiver 4.9 for Windows LTSR may alternatively choose to upgrade to Citrix Receiver 4.9.9002 for Windows LTSR Cumulative Update 9 or later to obtain the fixes.
Customers should upgrade via Auto Update, or by running the installer. Customers should not uninstall the previous version of Citrix Workspace app or Citrix Receiver prior to performing the update.
The latest version of Citrix Workspace app for Windows is available from the following Citrix website location:
The latest version of Citrix Workspace app for Windows LTSR is available from the following Citrix website location:
The latest version of Citrix Receiver for Windows LTSR is available from the following Citrix website location:
Acknowledgements
Citrix would like to thank Andrew Hess for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Citrix Workspace For Windows
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Log Into Citrix Workspace
Reporting Security Vulnerabilities
App Citrix Workspace
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html.
Changelog
What Is Citrix Workspace
| Date | Change |
| 2020-06-11 | Initial Publication |
| 2020-06-11 | Updated CWA LTSR URL |
| 2020-06-22 | Receiver 4.9.9002 LTSR CU9 released |