Installing and Configuring Citrix ShareFile clients in a XenApp / XenDesktop environment and limit access with RES Workspace Manager

In a previous post I described how to install and configure the ShareFile Windows Sync client and the ShareFile Outlook Plugin. In a few previous projects I needed to implement these clients into a Citrix XenApp / XenDesktop environment where they also use RES Workspace Manager for user personalization. Another challenge was that not every user within the XenApp / XenDesktop environments would get a ShareFile account, so access to the ShareFile clients should be limited.

In this blog I will show you to accomplish this in a few easy steps.

ShareFile Sync for Windows

Other than on a local desktop or laptop, you will need to install the ShareFile Sync for Windows On-Demand version (Certified for XenApp and XenDesktop). The main difference between this version and the local desktop/laptop version is that files are not automatically be available offline. The file will be downloaded on the moment the user opens the file.

Installation

Citrix ShareFile Clients on XenApp - XenDesktop 001

Click Install

Citrx ShareFile Clients on XenApp - XenDesktop 002

Select I accept the terms in the License Agreement and click Install

Citrx ShareFile Clients on XenApp - XenDesktop 003

Click Finish

Citrx ShareFile Clients on XenApp - XenDesktop 004

Click Close

Policies

The Windows Sync client can be configured by policies. This can be done via the ShareFileOn-demand.admx templete which is located on a computer where the Windows Sync client is installed on in the following path C:\Program Files\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions\

Install the ShareFileOn-demand.admx in the Policy Definitions directory of the Active Directory so that it is possible to set these settings global.

For almost every ShareFile implementation I configure SAML integration for authentication (XenMobile AppController or ADFS). Therefor I set the following policy settings so that the Windows Sync client will automatically configured without interaction of the end user.

Policies > Administrative Templates > ShareFile > Enterprise Sync

User policies;

Account

Enabled, <subdomain>.sharefile.eu (or .com)

Authentication Type

Single Sign on using AD credential

On-demandPersonalFolder

Enabled, Sync Personal Folder

Machine policies;

On-demandSyncDiskVolume

Enabled, C:\

RES Workspace Manager : Hide all Drives

There are a few things that needs to be set within the RES Workspace Manager, but first check if the following setting is applied under Drive and Port Mappings;

Hide all drives (unless otherwise specified)

Citrx ShareFile Clients on XenApp - XenDesktop 005

This makes it impossible for the Windows Sync client to open the ShareFile file location of the user. If this is the case add the following mapping;

Citrix ShareFile Clients on XenApp / XenDesktop 006

Fill in the following information;

Enabled: Yes
Administrative note: Only for Sharefile use
Action: Do not perform mapping operation
Device: C:
Friendly name: System Drive (only for Sharefile)
Hide drive: Always hide, but allow access
Access Control: <domain>\<ShareFile AD Usergroup>

RES Workspace Manager : Capture Windows Sync settings

For the ShareFile Sync clients, settings needs to be captured to make the settings roaming, for that the following User Settings are added under Composition > User Settings;

Citrix ShareFile Clients on XenApp / XenDesktop 007

Fill in the following information;

Name: Sharefile Sync
Zero Profile mode: Capture targeted items on session end
Enabled: Yes
Preserve: Roam settings for user to any device
Apply: Load on session start
Capturing: Registry Key: HKEY_CURRENT_USER\Software\Citrix\Sharefile\Sync

RES Workspace Manager : Limit access to the Windows Sync

If not every Citrix XenApp or XenDesktop user gets a ShareFile account we need to limit access to the Windows Sync client. This can be easily done with the RES Workspace Manager, but as an alternative you can configure this also with GPO’s.

The first step is to make an export and then remove the following registry keys from the vDisk (or every server if PVS is not being used);

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Citrix ShareFile Sync Monitor
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Citrix ShareFile Sync Session Agent

To make the ShareFile Sync client work for a selected ShareFile user group, the registry keys removed from the HKEY_LOCAL_MACHINE must be added to the HKEY_CURRENT_USER by using User Registry in RES Workspace Manager.

Citrix ShareFile Clients on XenApp / XenDesktop 008

Fill in the following information;

Name: Anything you like
Administratrative note: Automatic startup ShareFile Sync client (or something you like)
Enabled: Yes
Required connection state: Both online and offline connections
Access Control:  <domain>\<ShareFile user group>

ShareFile Outlook Plug-in

For the ShareFile Outlook Plug-In 3.3 use the Per-machine MSI version. This is a silent installation without any installation dialogs. Also the automatic update function is not available in this version. This is also not recommended in a XenApp / XenDesktop environment where also a read only vDisk is used.

RES Workspace Manager : Limit access to the ShareFile Outlook Plug-in

To limit access to the ShareFile Outlook Plug-in export and remove the following registry key from the XenApp / XenDesktop vDisk (or every server if PVS is not used);

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\Malone.AddinModule]
“FriendlyName”=”ShareFile Outlook Plug-in”
“Description”=”AddinModule”
“CommandLineSafe”=dword:00000000
“LoadBehavior”=dword:00000003

Within RES Workspace Manager make a new User Registry with the above registry key but then for the HKEY_CURRENT_USER and add an Access Control filter for the ShareFile Active Directory user group.

Citrix ShareFile clients on XenApp / XenDesktop 009

For the non-ShareFile users create also a User Registry and apply the following registry keys under HKEY CURRENT USERS

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins\Malone.AddinModule] “FriendlyName”=”ShareFile Outlook Plug-in”
“Description”=”AddinModule”
“CommandLineSafe”=dword:00000000
“LoadBehavior”=dword:00000002

Add an Access Control filter for non-sharefile users, for example; NOT in <domain>\<ShareFile user group>

Keep in mind the Load Behavior registry key. If it is set to 3 the plugin will be loaded, if it is set to 2, the plugin will be disabled.

RES Workspace Manager : SAML Configuration

To auto configure the ShareFile Outlook Plugin for the end user with the correct authentication method, a registry key can be applied for the ShareFile users. With this registry key applied, the end user will no longer gets the “Getting Started” wizard and the Plugin is silent configured.

Within RES Workspace Manager configure an User Registry with an access filter for the ShareFile Active Directory user group. In the next example an .eu ShareFile account is used and SAML authentication integration is applied (ADFS).  Add the following registry key;

[HKEY_CURRENT_USER\Software\Citrix\ShareFile\SSO] “Method”=”saml-integrated”
“UserConfigurable”=dword:00000000
“Subdomain”=”<subdomain>”
“Domain”=”sharefile.eu”
“ApiCP”=”sf-api.eu”

 Citrix ShareFile clients on XenApp / XenDesktop 010
RES Workspace Manager : Capture ShareFile Outlook Plug-in settings

To make the ShareFile Outlook Plug-in settings roaming capture the following file;

%appdata%\ShareFile\Outlook\config.cfg

Citrix ShareFile clients on XenApp / XenDesktop 011

4 comments

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close