If you wanted to allow this to work in both directions, you would need to defined both the “restrict write” policies and then both the “write allowed formats” policies as well. This works as a kind of “override”, in that the respective session or client clipboard write is disabled (by the respective policies), but the data types defined here are selectively allowed to be copied and pasted. Obviously, the corresponding “Restrict xxx clipboard write” policy needs to be defined in order for this to take effect. These two policies (again, available from 7.6 onwards) are identical in activity except that they work on client-only clipboard or session-only clipboard as defined above.
Client clipboard write allowed formats AND Session clipboard write allowed formats Again, this can be extended by another policy (Session clipboard write allowed formats). Restrict session clipboard writeĪgain from 7.6 onwards, this is the flip side of the previous setting and allows you to disable client-to-session (writing to the session) and enables session-to-client (writing to the client). However this policy can be extended by using another policy (Client clipboard write allowed formats), whereas the previous policy can not – and anyway, the previous policy only applies to 7.5 or lower VDAs. These settings came along in 7.6, and this one simply works the same as the previous setting – it disables session-to-client (writing to the client), and enables client-to-session (writing to the session). However this policy no longer applies if you are on a VDA version higher than 7.5. This policy simply disables session-to-client redirection, and allows client-to-session redirection. This is one of the newer policies (well, it came along in 7.0, so new-ish), and this gave the first control around in which direction clipboard redirection would work. Pretty similar to the above, and again one that has been around a while, this specifies the maximum amount of bandwidth the clipboard transfer can consume, as a percentage of the total session bandwidth. Clipboard redirection bandwidth limit percent Specifies the maximum allowed bandwidth (kbps) for data transfer between the session and the local clipboard. It is turned on by default – we most commonly used to see this policy defined when we were looking to turn off the redirection. This policy has been around for a very long time, and simply allows clipboard redirection to be done. Citrix policies for clipboardįirst let’s have a quick run-through of the policies that we actually have available for clipboard redirection at this point in time. A quick perusal of the available Citrix policies allowed me to quickly see this could easily be achieved. The requirement we had was from developers who often had to copy and paste into their session but security wished them to be prevented from copying any data back out. But these days, a lot of security standpoints are to do with slowing down the ability of a bad actor to do damage, to restrict their progress deeper into your systems – mainly to remove some of the more obvious methods for stealing data or compromising devices, which therefore increases the chances of detection with less damage done.Īs said earlier, I hadn’t looked at Citrix clipboard redirection for a long time, so I was pleasantly surprised that we now have a much more granular set of policies associated with the clipboard to choose from. Some of this still stands up to scrutiny, obviously – a bad actor can always take a photo on his phone, write it down, even memorize it. (in locking all of the doors and windows). I always used to take the attitude of “there are seldom technological solutions to behavioural problems”, and maintain that securing data in this way was more a problem for HR (in hiring the right people) than for I.T. The chances of exfiltrating data by copying and pasting is, unfortunately, a significant area of data loss prevention. But unfortunately, because there are nefarious people out there, sometimes this can be seen as a security risk.
I regularly copy and paste code snippets into and out of remote applications and desktops on Citrix. When you are working with remote applications and desktops, often clipboard redirection is vital to have for users to be able to do their jobs. It’s been a long time since I’ve explored Citrix clipboard redirection….how well has it evolved?