This message was deleted.

DeviceTRUST 🤘

I think the challenge here is for BYODs ... the biz machines are managed via intune etc

Only thing I can think of would be adaptive access. But it’s tech preview and Citrix has to enable it for use. Which from what I here they are slow to do. Direct access with workspace locations might help. I’m dealing with the same thing. Although my client has traditional Netscaler gateway, so EPA is available for me. Maybe @Oz Zy has some trick? He seems to have a lot of little gold nuggets:)

don't know if this might help, Customize Citrix Workspace app settings | Citrix Workspace

@John Gallacher that's indeed a situation where we can help. deviceTRUST is fully byod capable and is actually used by several customers for that particular use case. Happy to talk and show you around!

Thanks, Sven... I will run some options by the client.. they are in the process of moving off of Citrix and its rarley used so I dont think they will be up for spending on it.. I have heard great things about DevieTRUST from a few folks 🙂

@John Gallacher, the new capability (tech preview) of Compliance checking/device posture check (which uses the Secure Access Endpoint Analysis) is now a direct integration capability with Workspace. We are just now testing it a bit for some compliance checks. But on this, a reg key check might do the trick for a CWA check. However, also, With Workspace, there is the Global App Configuration Service and Client App Management feature built-in there where you can dictate a min and max version of CWA that endpoints must have (and this is managed at the tenant level so doesn't matter if managed or not). I have just started messing with that also. This here says SPA, but it is Workspace in general as well for when it does the check. Our testing was specific to SPA first for a customer scenario https://docs.citrix.com/en-us/citrix-secure-private-access/device-posture.html and https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/configure.html#client-app-management

@Oz Zy Isn’t the global app configuration service only capable to manage the plugins but not CWA itself (regarding min allowed versions)?

@dready no, what's interesting with it now, is the "client app management" piece where now with latest builds, we can deploy the CWA, SCA, and even EPA agent with it and (cli only) determine min and max versions. I hope they get the min and max builds in GACS gui at some point soon.

ah ok, did not check the CLI possibilities, thx

Yea, I like where they are going with this. They need to clean up GACS a bit more and get some more stuff over from the developer portal (CLI) to the GUI, but at least they are getting stuff done here to give us something to talk about

See, I knew @Oz Zy would have the deep information 🙂

Isn't the risk with workspace app on the endpoint side? I didn't think the CVE for workspace app allowed SYSTEM access to the VDA, just the machine running workspace app. If its a BYOD device, then the user should be an admin on their own machine. If it's a vendor machine, they should be responsible for their own endpoints.

Yea, but if they get system access who knows what a hacker could do through the ica channels

Hey @John Gallacher! Did you find a solution for this request?#