Controlling application and desktop access

There are multiple ways available to hide or show applications and desktops from users based on their username, group membership, connection method, etc.

Below are a list of some of the common methods you can use to control resource access.

Users and Groups

To assign a resource based on the user or group membership, edit your Delivery Group and under the Users section add a user group or username(s).


Connection Type

Again when editing a Delivery Group under the Access Policy section you can allow connections that do not come through NetScaler Gateway, do come through NetScaler Gateway or both.


Limit Visibility

To limit the visibility of an application to some users, locate the desired application and right-click, Properties.


Click Limit Visibility -> Limit Visibility for this application to the users listed below.


Per store via description

You can hide or show applications and desktops completely from stores based on the description of the resource. This cannot be done from the GUI so instead use PowerShell.

Log on to your primary StoreFront server and browse to C:\Program Files\Citrix\Receiver StoreFront\Scripts and copy the ImportModules.ps1 file.


Now browse to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ and create a new folder called ImportModules. Now copy the ImportModules.ps1 file to this folder.


Launch PowerShell as an administrator.


Run command Import-Module ImportModules.ps1.


Now in my scenario I have two stores, XenApp and CitrixPro.


Before continuing we need to find out the IIS Site ID for the web site hosting our Citrix store virtual directories. The Site ID in most cases will be 1. Launch IIS and then highlight the site which stores the Citrix virtual directories (in most cases Default Web Site).


Right-click the site, Manage Website -> Advanced Settings…


Next take note of the ID number and then close IIS.


I want to show only desktop resources in store CitrixPro and applications in store XenApp. The filtering of resource is done based on the description an application or desktop has been given. To make things easy, I am assigning a description of App to my applications only, and not giving any description to the desktops, however I could do if I wanted to get more granular with extra stores.

Using Citrix Studio, open the properties of an application and under Identification enter KEYWORDS: App then click OK.


Return to PowerShell and run command Set-DSResourceFilterKeyword -SiteID 1 -VirtualPath “/Citrix/CitrixPro” -ExcludeKeywords @(“App”)


Now run command Set-DSResourceFilterKeyword -SiteID 1 -VirtualPath “/Citrix/XenApp” -ExcludeKeywords @(“App”)


Browse to the CitrixPro Receiver for Web site and only the desktop resource appears.


Over on the XenApp Receiver for Web site the applications only appear.18-min

Per application or desktop

You can set Citrix stores to only show applications or desktops.

Launch PowerShell on your StoreFront server and import the required modules using the same method found above.

Run command Set-DSResourceFilterType -SiteID 1 -VirtualPath “/Citrix/XenApp” -IncludeTypes @(“Applications”)

Next run command Set-DSResourceFilterType -SiteID 1 -VirtualPath “/Citrix/CitrixPro” -IncludeTypes @(“Desktops”)


Now depending on which store you visit, you will either see Desktops or Applications.


Based on NetScaler Gateway connection

You can limit Delivery Groups to certain NetScaler Gateway addresses. To do this firstly edit the Delivery Group and browse to the Access Policy section.

Click Add.

Specify the URL for your NetScaler Gateway and click OK.


Uncheck All connections not through NetScaler Gateway if you wish. Click OK.


Now when using a different NetScaler Gateway URL the resources will not appear.



Leave a Reply