Skip to main content
John Billekens | Notes from the field

Citrix WorkspaceApp Update Script: Check and Alert for Security Risks

··4 mins
Citrix PowerShell Receiver WorkspaceApp Citrix PowerShell Receiver WorkspaceApp
Author
John Billekens
Technical Consultant | End User Computing

It’s crucial to regularly update your Citrix WorkspaceApp to an up-to date version. Many environments still use outdated versions with significant security vulnerabilities (CVEs). Too often, I encounter environments that are still running old versions, including the antiquated “Receiver” versions. Not updating to a non-vulnerable or recent supported version poses a real security risk!
In many environments, users have company-managed devices, for example managed via Microsoft Intune, which can be updated centrally. These devices are typically kept up to date. The greatest risk lies with non-company-managed devices, such as privately owned laptops or bring-your-own-device (BYOD) systems, where users are responsible for maintaining updates themselves.

There’s little you can do for users beyond regularly informing them and providing how-to knowledge. However, we can easily detect the installed Citrix WorkspaceApp (or Receiver) version used by the user without accessing their device. When a user connects to the company Citrix environment, the Citrix WorkspaceApp version is shared with the remote session. This is useful information and can help us check the version and inform the user if they have an unsupported or vulnerable version on their local machine.

Several of my customers have asked how to inform users that they need to update outdated or vulnerable versions. This prompted me to create this script. You can run it as part of a login script or as a task in a tool like Citrix WEM. If the user has a supported or not a vulnerable version, nothing will be displayed. However, if the user has an unsupported or vulnerable version with a known CVE, a customizable popup will appear. Depending on the settings, it can also log off the session. The image shows just an example of what’s possible.

An example (test message) when a vulnerable version was detected:

An example (test message) when a outdated (EOL) version was detected:

You can run the script with parameters or by specifying a customized JSON-file that is up to you. To get an overview of all the parameters and some example just run the following command:

Get-Help <PathTo>\CWACLientDetection.ps1 -Full

This example runs the script with the specified parameters in test mode, running locally and showing the user EOL and CVE messages. It will only log the user off if a CVE was detected (-LogoffOnCVE ). Leave the -Test parameter when presenting the script to the user.

NOTE: The -RunLocal parameter allows you to run the script on your laptop for example. Leave this parameter when you run the script in a Citrix Session as a login script!

C:\Scripts\CWACLientDetection.ps1 -EnableLogging -LoggingPath "C:\Scripts\Logs" -MessageLogo "C:\Scripts\\Logo.png" -MessageTextEOL "Multiline`r`nEnd of life message" -MessageTextCVE "Multiline`r`nCVE message" -MessageTitle "Title" -RunLocal -LogoffOnCVE -Test

The next example wil basically show the same while using splatting. You can optionally use the -Test parameter to run the script in test mode.

@params = @{
    "EnableLogging" = $true
    "LoggingPath" = "<PathTo>\\Logs"
    "MessageLogo" = "<PathTo>\Logo.png"
    "MessageTextEOL" = @"
Multiline
End of life message
"@ # <= It's very important to add NO spaces in front of the closing tag
    "MessageTextCVE" = @"
Multiline
CVE message
"@
    "MessageTitle" = "Title"
    "RunLocal" = $true
    "LogoffOnEOL" = $false
    "LogoffOnCVE" = $true
}
CWACLientDetection.ps1 @params [-Test]

You can also create a JSON file with the same “parameters” and save it for example as “C:\Script\CWACLientDetection.json”.

NOTE: On the PoSH command line a new line in string is defined as “`r`n” the same in a JSON file is “\r\n”.

NOTE: Path dividers in JSON need a double \, e.g.: C:\Script\CompanyLogo.png

{
    "MessageTitle": "Company - Citrix Workspace App versie check",
    "MessageTextEOL":  "Multiline\r\nEnd of life message",
    "MessageTextCVE":  "Multiline\r\nCVE message",
    "MessageLogo":  ".\\CWACLientDetection.png",
    "LogoffOnEOL":  false,
    "LogoffOnCVE":  true,
    "RunLocal": false
}

You can than run the script with the following parameters and you can optionally use the -Test parameter to run the script in test mode.

C:\Script\CWACLientDetection.ps1 -JSONFilename "C:\Script\CWACLientDetection.json" [-Test]

You can find the latest version here on my GitHub repository. I will try to regularly update the script. Especially when a new CVE will be released or when new versions will be added with new EOL dates.

Please send me a message if you miss a CVE or you have suggestions to make it better. I don’t use an Apple Mac or Linux client devices. So I haven’t really had the opportunity to test those kind of devices. Please contact me if you find something not working correctly.

Hopefully this script can help you keep your environment up-to-date and a little bit safer.

Related

Manipulate the 'NameID' SAML content - part 1

·8 mins
Some companies want to allow other (guest) companies to connect to their environment and for example allow them to open a Citrix Desktop. This can be achieved by Connecting an existing Citrix environment to the guest company via SAML (and yes there are other possibilities). SAML is an authentication method based on a two-way trust. Two Microsoft products that can offer SAML authentication are ADFS (Active Directory Federation Services, an on-premises solution) and the other is and Enterprise App you can configure from the Azure portal. The other requirement is Citrix FAS (Federated Authentication Services). In this article I will show you a way to connect a guest (company) via SAML to allow them access to your Citrix environment without the need for adding the guest companies suffix to your domain. 

Manage Native OTP tokens via Windows

·3 mins
Today I want to release an early (beta) version of a new tool I created, “OTP4ADC” With this tool you can add, remove or change the native OTP tokens used within your Citrix ADC, previously called NetScaler.