Published Applications

Last Modified: Dec 22, 2023 @ 5:02 am


💡 = Recently Updated

Change Log

RDSH Application Testing

Installing apps on Remote Desktop Session Host (Virtual Apps or XenApp) is more complicated than installing apps on a single-user operating system (virtual desktop). Here are some RDSH-specific considerations that must be tested before integrating a new application into RDSH. These considerations usually don’t apply to virtual desktops.

  •  Multi-user Capable – can the application run multiple times on the same machine by different users? Most applications don’t have a problem, but a few do, especially applications that put temporary files or other writable files in global locations. For example, the first user of an app could write temporary files to C:\Temp. The second user writes to the same location, overwriting the temp files needed by the first user. Test the app with multiple users running the app on the same RDSH machine.
  • Lockdown to prevent one user from affecting another – What restrictions are needed to prevent one user from affecting another? For example, if an app’s configuration files are stored in a global location, you don’t want one user to edit the configuration file, and thus affect a different user. Test the app with multiple users running the app on the same RDSH machine.
  • Permission Relaxations – what relaxations (e.g. NTFS) are needed to allow non-administrators and GPO locked-down users to run the application? Test the application as a non-administrator with GPO lock down policies applied.
  • First Time Use – when a user launches an application the first time, the application should be automatically fully configured with default settings (e.g. back-end server connections). Use group policy to apply application settings. Automated FTU also helps with a user whose profile is reset. Test the RDSH app with a user that has a new (clean) profile.
  • Roaming – users could connect to a different RDSH machine every day, and thus user settings need to roam across machines. Test running the app on one RDSH, make changes, then login to a different RDSH machine to ensure the changes are still there.
  • Application Licensing – if an application requires licensing, can licensed and non-licensed users connect to the same machine? Can it be guaranteed that non-licensed users can’t run the application that requires licensing? Adobe Acrobat is an example of a challenging application because of the global .pdf file-type association, and the global PDF printer.
  • Client Devices (USB, printers, COM ports) – the client device mapping capabilities on RDSH are not as extensive as virtual desktops. For example, generic USB wasn’t added until Windows Server 2012 R2. When the application prints, does it show printers from every user, instead of just the user running the app? Does the app need COM port mapping?
  • Shared IP – does the app have any problems with multiple users sharing the same IP address? If so, you might have to configure RDS IP Virtualization.
  • Fair Sharing of Hardware Resources– does the app sometimes consume a disproportionate amount of hardware resources? For example, can the app be used to launch a task that consumes 100% CPU for some time? One option is to put this app on its own Delivery Group. Or you can use Citrix Workspace Environment Manager to ensure fair sharing of hardware resources.
  • Published Application – can the app run as a published application that doesn’t have Explorer running in the background? Does the app (e.g. Internet Explorer web apps) need RunOnce.exe /AlternateShellStartup to fully initialize before it will run correctly as a published application? Some apps work without issue in a published desktop, but don’t work properly as published applications. When testing a published app, test it with a user that has a new (clean) profile. Connecting to the published desktop once will cause Active Setup to run, changing the user’s profile, thus distorting the published app testing results.
  • Integration Testing – when installing a new app on a RDSH server, don’t forget to test the other apps already on the RDSH server, because the new app might have broken the other apps. The more apps you put on an RDSH server, the longer it takes to perform integration testing.

Also see MSDN Remote Desktop Services programming guidelines.

Some of the issues in this list can be overcome by using an application virtualization tool (e.g. Microsoft App-V) that runs apps in isolated bubbles.

Application Groups

Citrix Blog Post Introducing Application Groups in XenApp and XenDesktop 7.9

Citrix Virtual Apps and Desktops and XenApp 7.9 and newer has an Application Group feature. This feature lets you group published apps together so you can more easily apply properties to every app in the group. Today, you can do the following:

  • Control visibility of every app in the app group (Users page).
  • Publish every app on the same Delivery Groups.
  • Prevent or allow apps in different Application Groups from running in the same session.
  • With one published app icon, test users launch from test Delivery Group, while production users launch from production Delivery Group.

To create an Application Group:

  1. In Citrix Studio, right-click Applications, and click Create Application Group.

    1. In the Getting Started page, click Next.
    2. In the Delivery Groups page, select the delivery groups you want these apps published from.
    3. In the Users page, select the users that can see the apps in this app group.
    4. Note: there are three levels of authorization. An app is only visible to a user if the user is assigned to all of the following:
      • Delivery Group
      • Application Group
      • Individual Published Apps in the Application Group
    5. Click Next.
    6. In the Applications page, publish applications like normal. The Existing option lets you select an app that’s already been published to a different Application Group or Delivery Group. Click Next.
    7. In the Summary page,  give the Application Group a name, and click Finish.
  2. In the Applications node in Studio, there’s a new Application Groups section.
  3. If you highlight your Application Group, on the right is the list of apps in the group. You can edit each of these published apps like normal.
  4. You can drag applications into an Application Group.

  5. However, this more of a copy than a move. To actually move the app exclusively into the Application Group, edit the individual app, and on the Groups page, remove all Delivery Groups (or other Application Groups). The app will instead inherit the Delivery Groups from the app group.
  6. If you edit the Application Group:
  7. The Settings page has an option for session sharing between Application Groups. Clearing this checkbox allows you to force applications in different Application Groups to run in different sessions.
  8. The Delivery Groups tab lets you set Delivery Group priority. If priority is identical, then sessions are load balanced. If priorities are different, then sessions are launched on Delivery Groups in priority order.
  9. The checkbox for Restrict launches to machines with tag lets you restrict the apps to only run on VDAs with the selected tag.
  10. In Citrix Virtual Apps and Desktops and XenApp/XenDesktop 7.13 and newer, you can use PowerShell to cause an Application Group to launch multiple app instances in separate sessions. Citrix Blog Post XenApp and XenDesktop 7.13: Launching an Application in Multiple Sessions.

Limit Icon Visibility

For Published Applications, there are three levels of application authorization: Delivery Group, Application Groups, and Published App Limit Visibility. A published app icon is only visible if the user is added to all three levels.

  1. Delivery Group (Users page). If the user is not assigned to the Delivery Group, then the user won’t see any application or desktop icon published from that Delivery Group.

  2. Limit Visibility – You can use the published app’s Limit Visibility page to restrict an icon to a subset of Delivery Group users.

  3. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.9 and newer, you can use Application Groups to restrict access to published icons.

  4. App Icons won’t appear unless users are added to all three of the above locations.

Published Desktops have separate authorization configuration:

  1. Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.8 and newer have a Desktops page in Delivery Group properties where you can publish multiple desktops and restrict access to those individual published desktops.

  2. In XenApp/XenDesktop prior to version 7.8, if a desktop is published from the Delivery Group, by default, every user assigned to the Delivery Group can see the icon. You can use the PowerShell command Set-BrokerEntitlementPolicyRule to limit the desktop icon to a subset of the users assigned to the Delivery Group.
    1. Run asnp citrix.*
    2. Run Get-BrokerEntitlementPolicyRule to see the published desktops.
    3. Then run Set-BrokerEntitlementPolicyRule to set the IncludedUsers or ExcludedUsers filters.

Published Content

Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.11 and newer have Published Content where you can publish URLs that are opened in the user’s local browser. You can also publish UNC paths, which are opened with local Explorer or local application.

It’s not possible to publish content using Citrix Studio. Instead, use PowerShell.

The New-BrokerApplication cmdlet requires you to specify a Delivery Group which must have at least one registered machine in it. However, the published content does not actually launch from the Delivery Group since the URLs and/or UNCs open locally.

First run asnp citrix.*

Then run New-BrokerApplication -ApplicationType PublishedContent. Here is a sample PowerShell command:

New-BrokerApplication -Name "CitrixHomePage" -PublishedName "Citrix Home Page" -ApplicationType PublishedContent -CommandLineExecutable -DesktopGroup RDSH12R2

Instead of publishing to a Delivery Group, you can publish to an Application Group by using the -ApplicationGroup switch. The Application Group must have Delivery Group(s) assigned to it.

Once the Published Content is created, you can see it in Citrix Studio. You can also edit it from Citrix Studio, including Limit Visibility and Groups (to move it to an Application Group).

Published Content can be placed in Application Groups, which supports properties to restrict access to the shortcut.

It does not appear to be possible to set the icon from Studio, but you can do it using PowerShell. See Citrix Blog Post @XDtipster – Changing Delivery Group Icons Revisited (XD7) for instructions to convert an icon to a base64 string, and import to Citrix Virtual Apps or XenApp using New-BrokerIcon -EnCodedIconData "Base64 String".  Then you can link the icon to the Published Content using Set-BrokerApplication "App Name" -IconUid.

In StoreFront 3.7, you can click the icon and URLs will open in a new browser tab.

HTTP/HTTPS Published Content should open in Receiver. Other URLs (e.g. file:// or UNC path) will probably show an error message.

You can override this restriction by enabling the group policy setting Allow/Prevent users to publish unsafe content at Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Receiver | SelfService. This assumes you’ve installed the Receiver .admx files. (h/t David Prows at CUGC forums).

Application Usage Limits

In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop 7.7 or newer, if you edit an application’s Properties, on the Delivery page, you can restrict the number of concurrent instances of the application. You can also Limit to one instance per user.

Citrix Virtual Apps and Desktops (CVAD) 1808 and newer support limiting the number of application instances per machine. This setting is configured using PowerShell. See Configure application limits at Citrix Docs.

asnp citrix.*
Set-BrokerApplication MyApplication -MaxPerMachineInstances 2

To revert to unlimited per-machine instances of the published application, set MaxPerMachineInstances to 0.

Keywords for StoreFront

In a published application’s Properties, on the Identification page, in the Description and keywords field, you can enter KEYWORDS to control how the app behaves when displayed by StoreFront.

  • Enter KEYWORDS:Mandatory or KEYWORDS:Auto to cause the application to automatically be subscribed or favorited in Citrix Receiver.
    • In StoreFront 3.0 and newer, the user can go to the Apps tab, click an App’s Details button, and mark the app as a Favorite. 
    • In the older StoreFront interface, users subscribe to applications by clicking the plus icon to add the application to the middle of the screen. 
    • Mandatory means the app can’t be removed from Favorites or unsubscribed.
    • Auto means the app is automatically favorited or subscribed, and can be un-favorited or unsubscribed by the user.
  • Enter KEYWORDS:Featured to make the application show up in the Featured list.
  • You can separate multiple keywords with a space. KEYWORDS:Mandatory Featured.
  • See the StoreFront 3.7 Keywords documentation at Citrix Docs for more information.

Users will have a better experience with StoreFront if applications are published into folders. The folder name is specified in the Delivery page in the Category field. Note: Add shortcut to user’s desktop works in newer versions of Receiver assuming the app is marked as a Favorite.

Secure Browser

Citrix has a deployment guide for publishing a browser from XenApp. Here’s an overview of the configuration:

  • Install Chrome on an RDSH VDA.
  • In Studio, publish IE and/or Chrome in Kiosk Mode to anonymous users.
    • Create a different published app for each website.
  • In StoreFront, create a Store for Unauthenticated Users.
  • In StoreFront, enable Receiver for HTML5.
  • In StoreFront, enable web links so you can link to the published browser from a different website.

When a user launches the published browser, the HTML5 client opens the published app in a local browser tab. The published browser runs in kiosk mode so that the published browser’s user interface is hidden. It looks like the website is running on the local browser but actually it’s running from a published browser.


App-V GPO ADMX templates

The latest GPO ADMX templates for App-V can be downloaded from Microsoft Desktop Optimization Pack Group Policy Administrative Templates.

App-V and Logon Times


App-V Dual Admin

In Dual Admin mode, you configure Citrix Studio to connect to App-V Management Server(s) and Publishing Server(s).

See Citrix Blog Post Load Balancing Microsoft App-V Servers with a Citrix Virtual Apps deployment for supported App-V server load balancing configurations.

  • Connecting to Management Servers using a load balancing VIP is not supported.
    • Use DNS Round Robin instead. Or use Citrix PowerShell to specify multiple Management Servers.
  • You can connect to Publishing Servers load balanced through a VIP, but Studio will show an error. Just ignore it.

App-V Single Admin

Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.8 no longer requires App-V management infrastructure and can instead pull the App-V packages directly from an SMB share as detailed at App Packages at Citrix Docs.

The computer accounts for Delivery Controllers and VDAs must have read access to the share. An easy method is to add Domain Computers. See CTX221296 Citrix App-V Integration Minimum Permission Requirements.

In CVAD 2311 or newer, in Web Studio, go to App Packages to add App-V packages. See Publish packaged applications on single-session or shared desktop VDAs at Citrix Docs.

In older Citrix Studio, go to Configuration > Hosting, right-click App-V Publishing, click Add Packages, and browse to the .appv file.

Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.11 adds an Isolation Groups tab.

Once App-V packages are added to Citrix Studio, you can publish an app, and select App-V from the drop-down.

The App-V apps show up as AppLibrary App-V and support the same options as other published applications.

Make sure the App-V Components are installed on your VDA. It’s not checked by default in 7.12 and newer.

On your VDA Windows 10/2016 or newer, in PowerShell, run Enable-Appv. For older OS, install the App-V client.

There appears to be some limitations to the package share method as detailed by Joe Robinson at Citrix Discussions:

Joe Robinson provided a script to force the App-V client to sync before launching the user’s App-V application.

If you run Citrix Workspace app inside a VDA machine and attempt to launch an App-V published app, it will launch from a different VDA session instead of the VDA session you’re already connected to.

Launch App Inside App-V Bubble

From Citrix Blog Post Process Launching in an App-V V5 Virtual Environment:

  • On any executable, add the /appvve:<PackageID>_<VersionID> of the package in which one would like the executable to run
  • If the App-V process is already running then use the /appvpid:<ProcessId> to inject into a running App-V virtual environment
  • If you want something more permanent, you can set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\<YourApplicationName> with a default REG_SZ key that has the executable name in it.

Also see Microsoft Knowledgebase article How to launch processes inside the App-V 5.0 virtualized environment.



Change Published Desktop Icon

Citrix Blog Post Changing Delivery Group Icons Revisited (XD7) has instructions on how to use PowerShell to import a Base-64 icon and then link it to the published desktop.

StoreFront overrides custom desktop icons. Run the following PowerShell commands to restore custom desktop icons: (h/t CTP Sam Jacobs)

& 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1'

$store = Get-STFStoreService /Citrix/Store
Set-STFStoreService -StoreService $store -SubstituteDesktopImage $false -Confirm:$false

Other Published App Tips

CTX209199 Published 64 bit Aps Can’t Be Started With %ProgramFiles% in Command Line If It’s Not the first Application to Start: You can try the following methods to address this issue:

  1. Use the absolute path to publish the application.
    2. Use %ProgramW6432% for 64-bit applications instead of %ProgramFiles%.

Google Chrome

Links detailing installation, configuration, roaming profiles, and publishing.

CTX132057 Google Chrome Becomes Unresponsive when Started as Published Application: add the parameters --allow-no-sandbox-job --disable-gpu in the published app command line. According to Dennis Span, this is no longer needed in Chrome 58 and newer.

CTX205876 Non-published Google Chrome browser on XenApp server, called and launched from any published app, is seen in black/grey screen: The command line parameter has to be added to registry shell open command for the Chrome browser:

  1. In Regedit, navigate to HKEY_CLASSES_ROOT\http\shell\open\command
  2. Edit the Default value as follows:
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --allow-no-sandbox-job --disable-gpu -- "%1"

Disable Application and Hide It

  1. In Studio, you can disable a published application by right-clicking it, and clicking Disable.
  2. In older versions of XenApp/XenDesktop, when you disable the application, it leaves the application visible but it is grayed out thus preventing users from launching it. In 7.8, the disabled app is automatically hidden (no longer shown in the apps list).
  3. If desired, you can hide or unhide the disabled application icon by running a PowerShell command:
    asnp citrix.*
    Set-BrokerApplication MyApp -Visible $false

  4. When you re-enable the application, Visibility is automatically set back to true.

Browser Content Redirection

Browser Content Redirection prevents the rendering of whitelisted webpages on the VDA side, and instead renders them on the client side. Only the browser viewport is redirected. The intent of this feature is to redirect HTML5 Video (e.g .youtube).

Browser Content Redirection requirements:

  • Citrix Virtual Apps and Desktops (CVAD) or XenApp/XenDesktop 7.16 and newer
  • Receiver 4.10 or newer
  • Chrome support is available in Citrix Virtual Apps and Desktops (CVAD) 1808 and newer
    • In the VDA, install the Chrome Browser Extension named Browser Content Redirection Extension. You can use Google Chrome Group Policy templates to force installation of the extension. See Browser content redirection Chrome extension at Citrix Docs.
    • You do not need any client software other than Workspace app 1809 or newer. The client-side rendering engine is included in Workspace app 1809 and newer.
      • HDX Browser Content Redirection feature will not work with Citrix Workspace app for Windows 1912 LTSR due to removal of the embedded browser from LTSR versions. But it does work in Workspace app 2006.
  • Internet Explorer 11– IE 11 on both the VDA, and on the client.
    • On the VDA, Enhanced Protected Mode must be disabled under Internet Explorer: Internet Options > Advanced
    • On the VDA, an IE 11 Browser Helper Object (BHO) named Citrix HDXJsInjector facilitates the redirection.
    • In Internet Explorer > Tools > Internet Options > Advanced > Browsing, ensure that Enable third-party browser extensions is checked. Source = Content Browser Redirection at Citrix Discussions.
  • Internet access from Client – By default, the client (Receiver) tries to fetch the redirected content. If client is not able to fetch, then the content falls back to server rendering.
  • When redirection is working, the client machine has a HdxBrowser.exe process.

    • See Kasper Johansen Citrix Xenapp And Desktop 7.16 Browser Content Redirection for some videos of this feature.
    • Kasper and Rasmus detail client-side registry keys to enable HdxBrowser.exe to use client-side GPU. These keys/values might already be configured in Receiver 4.11 and newer.
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
        • HdxBrowser.exe (DWORD) = 1
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
        • HDXBrowser.exe (DWORD) = 11000 (Decimal)
      • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
        • HdxBrowser.exe (DWORD) = 1
      • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
        • HDXBrowser.exe (DWORD) = 11000 (Decimal)
    • Rasmus Raun-Nielsen at Browser Content Redirection?! at LinkedIn has some CPU analysis, including client-side GPU.

Browser Content Redirection is configured using Citrix Policies, in the User half, under the Multimedia category.

Browser Content Redirection is enabled by default, but only for the specified whitelist URLs (ACL Configuration). Note that wildcards can be used in the path, but not in the DNS name. To configure Microsoft Teams and GoToMeeting, see CTX238236 Browser Content Redirection: whitelisting websites.

Citrix Virtual Apps and Desktops (CVAD)  and XenDesktop 7.18 and newer have a setting named Browser Content Redirection Authentication Sites. Add URLs that are redirected from the main ACL URL. To configure Microsoft Teams and GoToMeeting, see CTX238236 Browser Content Redirection: whitelisting websites. Also see See CTX230052 How to Troubleshoot Browser Content Redirection.

Citrix Virtual Apps and Desktops (CVAD) and XenDesktop 7.17 and newer have a Blacklist setting. Any address added here will not be redirected to the client. You typically configure this setting to override the ACL setting (e.g. ACL setting has a generic URL, but the Blacklist has a more specific URL)

7.18 adds a Browser Content Redirection Authentication Sites setting. Configure a list of URLs that sites redirected via Browser Content Redirection can use to authenticate a user. E.g. iDP URLs.

Registry keys for Browser Content Redirection are detailed at Browser content redirection policy settings at Citrix Docs.

Bidirectional Content Redirection

You can redirect URLs from client to a published browser, or from VDA to the client. See Bidirectional content redirection policy settings at Citrix Docs for requirements and limitations.

  1. Make sure Local App Access is not enabled on the VDAs.
  2. Make sure a browser is published. Chrome and Edge require Workspace app 2106 and newer connecting to VDA 2106 and newer.
  3. Edit a GPO that applies to VDA users.
  4. Go to User Config | Policies | Citrix Policies and edit a Citrix Policy.
  5. Find the setting Allow Bidirectional Content Redirection and enable it (Allowed).

  6. In CVAD 2311 and newer, use the setting Bidirectional content redirection configuration to insert a JSON string containing the list of URLs to redirect from client or VDA. The older setting for Allowed URLs has been deprecated. See Bidirectional content redirection at Citrix Docs.

  7. Prior to CVAD 2311, also configure the Allowed URLs policy settings (VDA to client, or client to VDA) to indicate which URLs should be redirected in either direction.

    • VDA 2206 adds support for wildcards in the Allowed URLs to be redirected to Client policy setting, but not from Client to VDA.
    • VDA 2206 adds support for custom protocols other than HTTP and HTTPS in the Allowed URLs to be redirected to Client policy setting. These custom protocols don’t work from Edge/Chrome.
    • More details at Citrix Docs.
  8. In CVAD 2311 and newer, it is no longer necessary to configure Bidirectional Content Redirection on the client side. For older CVAD:
    1. Copy the receiver.admx file from Receiver 4.7 or newer to PolicyDefinitions (SYSVOL or C:\Windows\PolicyDefinitions).
    2. Edit a GPO that applies to client devices (endpoints).
    3. Go to User Configuration | Policies | Administrative Templates | Citrix Workspace | User experience.
    4. Double-click the setting Bidirectional Content Redirection.
    5. Enable the setting.
    6. In the Published Application field, enter the name of the Internet Explorer published application.
    7. In the Allowed URLs fields, configure the URLs you want to redirect in either direction.
  9. On the VDA, run one or more the following commands to register the browser add-on. Chrome and Edge require Workspace app 2106 and newer connecting to VDA 2106 and newer.
    "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regIE
    "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regChrome
    "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regEdge
    "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regall

  10. CTX232277 Unable to Logoff When Bidirectional Content Redirection is Configured says that the following registry value should be configured on the VDA. If you already have LogoffCheckSysModules, then add the below processes names to the existing value.
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
      • LogoffCheckSysModules (REG_SZ) = wfcrun32.exe,Concentr.exe,SelfServicePlugin.exe,redirector.exe
  11. In Workspace app 2106 and newer connecting to VDA 2106 and newer, do the following to enable redirection for Chrome and/or Edge:
    "%ProgramFiles(x86)%\Citrix\ICA Client\redirector.exe" /regChrome /verbose

  12. Chrome might display an Error indicating New extension added.

  13. For Internet Explorer, do the following:
    "C:\Program Files (x86)\Citrix\ICA Client\redirector.exe" /regIE

  14. When you run Internet Explorer on the VDA or client device, you’ll be prompted to enable the add-on. You can configure a GPO to enable this add-on automatically. Redirection won’t work unless the add-on is enabled.

Host to client Redirection

This feature causes Citrix VDA to redirect http links in applications to the client machine, so they are opened using the client’s browser. The feature is disabled by default.

James Rankin at Using host-to-client redirection in Citrix XenApp explains the feature in detail, including:

  • Limitations of the feature
  • Registry values to control the URL Schemes that can be redirect to the client
  • Group Policy and XML file to handle the File Type Associations in Windows 2012 and newer

Local App Access

Some applications are not suitable for centralization and instead should run on endpoint devices. These applications include: phone software, applications needing peripherals, etc. Citrix Local App Access lets you access these endpoint-installed applications from inside a published desktop. This is sometimes called Reverse Seamless.

Local App Access has three modes of functionality:

  • User-managed local applications. Any shortcuts in the endpoint’s local Start Menu and local Desktop are made available from inside the published desktop.
  • Administrator-managed local applications. Use Studio to publish a local application, which is created as a shortcut inside the published desktop. When the shortcut is launched, it is actually running from the endpoint device (reverse seamless) instead of the centralized desktop. If you enable administrator-managed local applications then user-managed local applications are disabled.
  • URL Redirection. Administrators define some URLs that should be opened in a local endpoint browser instead of a VDA browser, and then display the local browser inside the published desktop (reverse seamless).

Local App Access requires Platinum Licensing.

Do the following to configure Local App Access:

  1. In a Citrix Policy that applies to the VDAs, enable the Allow local app access policy setting. It’s in the Computer Half.
  2. The URL redirection black list setting lets you define a list of URLs that should be opened on the endpoint’s browser instead of the VDA browser. Alternatively, you can instead configure Bidirectional Content Redirection.
  3. On the Endpoints, install Receiver using the ALLOW_CLIENTHOSTEDAPPSURL=1 switch. Feel to add /includeSSON too. Run the installer from an elevated (Administrator) command prompt. This switch automatically enables both Local App Access and URL Redirection. Note: the URL Redirection code does not install on VDAs so URL Redirection might not work if your endpoint has VDA software for Remote PC.
  4. After installation of Receiver, launch Internet Explorer. You should see a prompt to enable the Citrix URL-Redirection Helper add-on.
  5. You can also go to Tools > Manage Add-ons to verify the Browser Helper Object.
  6. By default, Local App Access redirects the endpoint’s Start Menu and Desktop. You can control which folders are redirected by editing the endpoint’s registry at HKCU\Software\Citrix\ICA Client\CHS. You might have to create the CHS key. Create the Multi-String Values named ProgramsFolders and DesktopFolders, and point them to folders containing shortcuts that you want to make available from inside the published desktop.

  7. When you connect to a published desktop, by default, there will be a Local Programs folder in the Start Menu containing shortcuts to programs on the endpoint’s Start Menu. These are user-managed shortcuts. Note: Windows 8 and newer only supports one level of Start Menu folders. This means that all local shortcuts are placed into the single Local Programs folder without any subfolders.
  8. On the VDA Desktop there will be a Local Desktop folder containing shortcuts from the endpoint’s desktop. These are user-managed shortcuts.
  9. Note: the following doesn’t seem to work in LTSR 7.15. The VDA seems to overwrite these registry values.
    1. The Local Desktop and Local Programs folders on the VDA can be renamed by editing the VDA’s registry at HKCU\Software\Citrix\Local Access Apps. You might have to create the Local App Access registry key. Create String values ProgramsCHSFolderName and DesktopCHSFolderName as detailed at Citrix Docs.

  10. To enable administrator-managed local applications, login to a machine that has Citrix Studio installed, and edit the registry. Go to HKLM\Software\Wow6432Node\Citrix\DesktopStudio, and create the DWORD value named ClientHostedAppsEnabled, and set it to 1.
  11. When you open Studio, and right-click the Applications node, there is a new entry Add Local App Access Application.

    1. In the Getting Started with Local Access Applications page, click Next.
    2. In the Groups page, select the Delivery Group or Application Group whose published desktop will receive the shortcut, and click Next.
    3. In the Location page, enter the path to the executable. This is the path on the endpoint. Also enter a Working Directory. You can get this information from the properties of the shortcut on the endpoint device. Click Next.
    4. In the Identification page, enter a name for the shortcut, and click Next.
    5. In the Delivery page, these options work as expected. Click Next.
    6. In the Summary page, click Finish.
    7. If you open the Properties of the Local App, there’s a Limit Visibility page.
  12. When you login to the desktop, you’ll see the administrator-managed local application. If any administrator-managed Client Hosted Applications are delivered to the user, then the default Local Programs and Local Desktop folders no longer appear.
  13. To enable URL Redirection, login to the VDA, and run "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regall. This registers the browser helpers.

  14. In Internet Explorer, if you go to Tools > Manage Add-ons, you’ll see the Citrix VDA-URL-Redirection Helper add-on.
  15. From inside the published desktop, if you go to a website on the blacklist, the VDA browser will close and a local browser will open in Reverse Seamless mode. If you then go to a website that is not on the blacklist, the local browser will close and the VDA browser will open again.

Citrix TV – Local App Access in XenDesktop 7

Anonymous Apps

Citrix Virtual Apps and Desktops (CVAD) and XenApp 7.6 and newer supports publishing apps to anonymous users. Edit the Delivery Group, and on the Users page, check the box next to Give access to unauthenticated (anonymous) users.

Anonymous Users are managed differently than regular Domain Users. See VDA Anon instructions for adding anon accounts, configuring session timeouts, and configuring local group policy.

Anonymous published apps should show up for all authenticated users. However, you can also create a StoreFront store that does not require any authentication.

Export/Import Published Applications

If your destination CVAD farm is version 2212 or newer with Web Studio, then you can use Citrix’s Automated Configuration Tool to export and import the configuration. See Citrix Docs PoC Guide: Automated Configuration Tool – On-Premises to On-Premises Migration


Related Topics

267 thoughts on “Published Applications”

  1. Hi Carl,

    I have read you article. We have an issue at the moment as follow:
    We have an on-prem app that have been created as an published app.
    This applicaton is running fine on the host of the user. But when we want to topen an email,pdf,txt or excel file in this application. Its opening it in the Client VDI. But we want to use Local App Access.

    Do you have any tip/solution for this?

    Kind Regards,

    1. I don’t think I ever got that to work. You can do host-to-client URL redirection, but that’s only for URLs.

      1. Thank you for your reply. I have ask this also on the Citrix Forum. Its should be possible. The Published application is starting the adobe or excel installed on the VDI/RDS. Maybe redirect that application to the local application 🙂

        Like: txt always open with > the Local notepad of the client.

  2. Hi Carl, Long time reader of your blog. Do you have any experience with Publishing an application from a Single Session OS (Win10) ergo VM Hosted App on Citrix DaaS?

    I have the issue that the user needs to login into the VM, but immediately is logged off (signing out) without seeing the application.

    1. Does the application exist at the path specified in the published app?

      Are you able to look at the event log on the VDA?

  3. Hi Carl, i follow your blog since the last years, and now i must solve a customer requirement, maybe you can help me with that requirement.

    When i create a machine catalog in Studio, if i choose single-session OS, i have an option in the creation wizard that allows me to choose between Random non-persistent desktops, Static non-persistent desktops or Static persistent desktops, then i complete the wizard with my selection and that’s all, i have a new catalog with the desired type of desktop.

    On the other hand, when i choose multi-session OS, the wizard doesn´t ask me to choose if i want persistent or random app servers, always completes the wizard and then the catalog appears as random desktops.

    One customer asks me if there is any option to deploy a machine catalog with persistent server images that don’t loose changes when virtual machine shuts down or restarts, because some applications they use write data in so many folders in the disk that we can not manage with fslogix or folder redirention via GPO.

    Is there any way to do that?, to have a multi-session OS machine catalog that will provide persistent desktops to the delivery group that the customer will publish the applications with. Thanks in advance.

    1. I don’t think MCS can do that, but you could use your hypervisor to clone a template RDSH machine and then add it to a Manual Catalog.

      1. Hi Carl, and thanks for the prompt reply, but i understand you mean that i need to add RDSH roles to the machine and the select the “use another technology” option in the catalog wizard instead of selecting “use MCS”, and manually selecting that clone.

        The question then is… who will be providing sessions for the published apps then? RDSH? Citrix?, i mean, is that only an approach for having this machine inside the Citrix infratructure or it will behave the same as a regular aplication server deployed from MCS wizard?.

        1. Once it’s in a Catalog, you can then add it a Delivery Group and publish apps just like always. However, you’re on your own for updating the machines. Citrix still brokers connections to the machines.

  4. Hi Carl, I need to discover which published applications have not been launched in the past year. Are you aware of a script which can do this?

    1. Are you licensed for Premium Edition? Is your Director grooming set to 365 days instead the default 90 days? If so, then you might be able to get the info from the Monitoring database.

  5. Hi, Carl.
    Is it possible to restrict one application to certain servers in one delivery group? Ex. Delivery group is made of 8 servers and want to restrict that application to 4 of that 8 servers. Thanks!

    1. With tags, yes. Assign a tag to machines. Then create an Application Group and select the Delivery Group with tag. Move your published app to the application group (make sure the published app is not bound directly to a Delivery Group but only bound to an Application Group).

  6. Hi Carl, Thank you for you hard work, its has literaly saved days and days of work for me. I am looking forward for your posts!

    I have a question that might not be 100% relevant in this arcticle , but I am unsure where it should be.

    I am looking for a way to 1) start Onedrive inside on a XEN app, and 2) enable SSO so the moment the user launches the Xen app, he is able to save docs on his own onedrive. Hope this makes sense.

    Any information on how – and if – this is possible would be very helpful, even pointing me to the right path!

    Keep up the good work!

    Thank you,


  7. Hi Carl,
    we installed Citrix 2103 on Windows server 2019, created all configurations, added apps. But we find problem that users using O365 apps has no licenced Office. If the Word is started through the Citrix Desktop, everything works well, but if the Word is started with App shortcut, message with no licence is displayed – office licence files in local user profile missing. We tested run Desktop, then delete keys manually, and then run App shortcut – works well, keys are again copied. Do you have udea what is wrong?

    We also check UviProcessExcludes registry keys as was written somewhere, but sppsvc.exe is already there.
    Please do you have advice?

    Thank you

          1. Carl, i have the CTX267071 registry hack in place and am still getting the ghost window.
            I am using FSlogix for my Office and Profile container and testing 2019 VDA’s. Some of the users, including myself, do not have any issues, others are able to load office apps because they are prompted for password and do not see the popup. I have deleted the FSLogix profiles and still get the issue when they launch o365 app for first time.
            Any suggestions on next steps, am i missing a step to get registry hack to work ?.

  8. Hi Carl,

    Thank you for all of the work that you put into this site. It has been very valuable to me.

    I have run into a strange problem. I have two published apps that use mmc.exe – one is AD Users & Computers and the other is an Exchange console. If I launch either app individually, they work fine. If I try to launch both apps, or if I try to launch the same app twice, I get an error that says “Windows cannot find ‘%SystemRoot%\System32\mmc.exe’. Make sure you typed the name correctly, and then try again.”

    If I log directly onto the server’s console, I can launch both apps or the same app without any problem. So it seems to only be an issue with running mmc.exe twice in the same published app session. Any suggestions to what might be going on here?

    Also, one other observation is that when you launch AD U&C, it opens right up with no UAC prompt. When you launch the Exchange console, it prompts for UAC elevation. They are both using MMC. (This behavior is the same on the console as in the published app.) Do you know of a way to have other consoles act like AD U&C (that is, to not prompt for UAC), without turning off UAC?

    Any help is appreciated.

    Thank you,

    1. I seem to recall Windows having a built-in list of MMC snap-ins (e.g. ADUC) that don’t need UAC prompt but all others do need UAC prompt.

      Have you tried publishing a batch file that launches your .msc?

  9. Hi Carl,

    Is there any options available for file drag and drop for published applications? Say for example dropping a graphic file into a published graphic application? The graphic application allows copy/paste or drag and drop while working with the application in local system. However in Citrix its not possible into application.


    1. Versions of CVAD newer than 1912 (e.g. 2106) support drag and drop. It’s enabled by default. What version of CVAD are you trying?

  10. Im getting an error when i try to add an Local App Access Application as an Published Application.
    Error Id: XDDS:BFC354DE

    Error Source : Citrix Studio
    StackTrace: System.InvalidOperationException Sequence contains no elements
    at System.Linq.Enumerable.First[TSource](IEnumerable`1 source)
    at Citrix.Console.DesktopGroups.UI.Dialogs.CreateLocalAccessAppWizard.GenerateSummary(Object sender, EventArgs e)
    at Citrix.Console.CommonControls.ViewModelBase.FireEvent(EventHandler handler)
    at Citrix.Console.Shared.UI.Pages.SummaryPageViewModel.LoadPageData()
    at Citrix.Console.CommonControls.Wizard.PageBaseViewModel.LoadPageDataInternal()
    at Citrix.Console.CommonControls.Wizard.PageBaseViewModel.b__16_20()
    at Citrix.Console.CommonControls.ViewModelBase.Invoke(Action action)
    at Citrix.Console.CommonControls.ViewModelBase.CallWithErrorHandling(Action action)

    For an example Application like Chrome with this parameter:
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    WorkingDirectory: C:\Program Files (x86)\Google\Chrome\Application

  11. Carl, in testing my 2019 vda servers and publishing Windows Explorer i have noticed when i make a change to a file or folder it does not show the change until i refresh the content. this is not happening in my production 2016 vda servers.
    I am not sure what to look for. Can you point me in a direction to research this issue ?

    1. If you Google File Explorer not refreshing, you’ll find many possible solutions. Maybe one of them will help you.

  12. Hi Carl, i have citrix 7.15LTSR and have a SaaS Client Application which downloads all the librarys into %Appdata% i cant change the installation path. can you recommend a citrix publish app solution for this. Do you download the content into a shared folder or do you create somekind of a sandbox app? thanks for your help, kind regards, adrian

    1. Is this a ClickOnce app? Usually I let the app install for each user and then roam the user’s profile. Sometimes I can move the files from AppData to Program Files and publish it from there but it doesn’t always work.

  13. Hi Carl,

    I am looking to configure it in such a way that the application which is part of an app group, launches from ONLY the servers tags were assigned to and not any other, even if an app which is outside of that group is running from some server which has no tags assigned. I followed this article which talks about disabling session sharing: (

    However, it only works if I launch the *app1* first (which is part of the app group), followed by the *app2* (not part of app group). The sessions for apps are created on different servers as expected. But if *app2* is launched first, and from a server which has no tags assigned, then *app1*, when launched, launches from the same server app2 has already been running….without taking the tag restriction into account which it should have had (being part of the app group).

    Is there any way to achieve that? Or I just HAVE to create a new DG? Why does it work one way but not the other way?

    Any help is really appreciated!

  14. Hi Carl

    & ‘C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1’


    Add-PSSnapin citrix*

    are not needed.

    The above are only needed to import the legacy -DS StoreFront SDK which is in very old versions of StoreFront. All -STF cmdlets should autoimport AFTER StoreFront is installed on new PS sessions so long as PS is 4.0 or higher.

    Sadly a lot of docs are incorrect and suggest doing this.

    Regards Mark

  15. Hi Carl, I know there is a way in the store advanced settings to make desktop look like a published application, but is there anyway to make a published application look like a desktop in receiver/workspace from the storefront?

    I would be happy to explain why I would want to do that if interested.


  16. Hi Carl,

    Is there any way to publish same APP-V application.exe with diferents arguments? I´m using single Admin mode APPV with Studio.

    1 – Microsoft\Edge\Application\msedge.exe
    2 – Microsoft\Edge\Application\msedge.exe
    3 – Microsoft\Edge\Application\msedge.exe

    I´ve tried many ways, but appv seems get only the first one “exe”.. and ignore anothers. When i add the package in studio, applications TAB show me just one app.

  17. Hi Looking for guidance. I have a W2K12 CVAD7.1912 CU1 site. I am looking for a way to restrict access to a published application when the users are connecting remotely. (NO Netscaler Gateway)

    1. Users connect remotely using the customers RAS solution
    2. Once authenticated the users connect to the internal Storefront servers and access to their Published apps.

    I have
    * Specific Delivery Group – contains 2 VDAs – which host 2 x Published apps
    * Both Apps have – a specific domain security group to give access

    I am looking for a way
    * to restrict access to ONE of the applications when they users are connecting remotely via RAS
    * Users should have access to both Apps when onsite
    * If above not possible to restrict just one of the apps – then a solution that would restrict Both apps

    * Users should still have access to other applications presented from different VDAs/Delivery groups

    Citrix Storefront currently has a single store

    Is there a way of using a Whitelist (easier than a blacklist) to allow access to the one specific “restricted” App once connection comes from a “Subnet” on the “Whitelist” (all the internal device subnets)

    Any advice much appreciated

    1. Delivery Groups can be filtered by source IP address – This is the entire Delivery Group.

      You can create a separate StoreFront store (probably on separate StoreFront server) and filter apps there. Configure RAS to allow access to the filtered store but not the normal store.

      1. Hi Carl, looking into this further – would the following work without having to setup a new Store or doing any reconfig of the Customers RAS solution. Am I missing something? or would this work

        Want to restrict access to the 2 applications which are the only 2 applications hosted on 2 WkK16 CVAD7.1912 VDAs which are in their own “Delivery Group”

        Basically on the Delivery Group –
        1. Enable “IncludedClientIPFilter”
        2. Configure Whitelisted ips of the customers onsite ip ranges (so all the ip subnets the users connect from when in the office.

        Set-BrokerAccessPolicyRule ‘W2k16 Restricted Delivery Group_Direct’ -IncludedClientIPFilterEnabled $true –addIncludedClientIPs “ ,′ (list all the ip office subnets)

        So if the users are in the office and connect to storefront url and launch an application in the “Restricted delivery group” they will get access to the 2 apps

        If they connect via RAS and connect to Storefront url – they will be on a different ip subnet – then they will not have get access to the 2 apps

  18. We are using Citrix Cloud Virtual Apps and Desktop service with VDA 7.15 LTSR. We want to publish MS Teams using a published Chrome browser and take advantage of the web cam and microphone features. I am hearing that VDA 1912 LTSR has a bug with MS Teams? But any tips on allowing web cam and microphone only from remote clients? We are also using FLogix as our profile management solution. We are trying not to install O365 on the RDSH 2016 VDAs.

    1. 1912 CU1 has Teams optimization (offload) that is enabled by default. There’s a Citrix Policy setting you can configure to disable it.

      1. For our first deploy, we are thinking of using the Teams Web app for starters to see how it will perform. We have many small VDAs allowing only 8 users on each for a 2 vCPU, 12GB Ram 2016 RDSH. Any good bits of advice on how to enable an endpoints webcam and microphone using the Chrome browser publshed?

  19. Hi Carl

    I’m a big fan! – have helped me a lot over the years.

    Right now I’m in the start-up phase of moving Virtual apps from 2012 R2 to 2019. We only use published apps (or seamless applications if you like). In 2012 R2 I have published the Control Panel and made a few settings available for the users – Printers, Keyboard, Mouse etc. This also work fine in 2019 except Default Programs. As I understand it you now have to use Windows Settings to select default apps. Is there a way to publish Windows Settings or – even better – parts of Windows Settings – In this case Default apps?


Leave a Reply

Your email address will not be published. Required fields are marked *